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ABSTRACT 

Title  of  Dissertation:  KEY  MANAGEMENT  FOR 

SECURE  MULTICAST  COMMUNICATIONS 


Raadliakrishnan  Poovendran,  Doctor  of  Philosophy,  1999 


Dissertation  directed  by:  Professor  John  S.  Baras 

Department  of  Electrical  and  Computer  Engineering 


Providing  key  management  schemes  for  large  scale  multicast  groups  has  be¬ 
come  an  important  problem  due  to  many  potential  commercial  applications  such 
as  stock  quote  and  software  distribution  on  the  Internet.  For  secure  multicast 
communication,  all  the  group  members  have  to  share  a  common  session  key. 
Since  the  member  dynamics  such  as  join  or  deletion  do  not  necessarily  terminate 
the  multicast  session,  it  is  important  to  update  the  session  key  to  all  the  valid 
members,  so  that  the  non- members  do  not  have  access  to  the  future  keys.  Find¬ 
ing  efficient  ways  for  key  generation  and  distribution  in  the  presence  of  member 
dynamics  is  an  actively  researched  problem. 

This  dissertation  considers  the  single  sender,  multiple  receiver  model  of  secure 
multicast  communication.  The  goal  is  to  develop  schemes  that  have  reduced 


computational  overhead  at  the  time  of  key  generation,  minimize  the  amount  of 
message  units  required  at  the  time  of  key  updates,  and  minimize  the  number 
of  keys  to  be  stored  by  the  sender  as  well  as  receivers.  In  order  to  achieve  this 
goal,  a  key  generation  and  distribution  architecture  based  on  rooted  trees  and 
control  panels  is  proposed.  A  control  panel  is  assumed  to  consist  of  mutually 
suspicious  members  who  jointly  generate  the  keys  that  are  distributed  to  the  rest 
of  the  members.  Based  on  the  assumption  about  the  control  panel,  we  provide  a 
distributed  key  generation  mechanism  which  allows  a  set  of  mutually  suspicious 
members  to  contribute  to  the  generation  of  a  joint  secret  without  revealing  their 
individual  contributions. 

The  key  distribution  scheme  presented  considers  the  member  revocation  event 
and  relates  it  to  the  key  assignment  of  individual  users.  We  define  and  show  that 
the  entropy  of  the  member  revocation  event  plays  an  important  role  in  determining 
the  number  of  keys  assigned  to  a  member.  We  claim  that  the  number  of  keys 
allocated  to  a  member  based  on  the  elementary  concepts  from  information  theory 
will  also  correspond  to  the  minimum  number  of  keys  that  need  to  be  assigned 
to  a  member  unless  additional  functional  relationship  among  keys  exists,  since 
it  completely  captures  the  uncertainty  of  the  member  revocation  event.  We  also 
identify  some  weaknesses  in  the  recent  schemes  in  [17,  15],  and  solve  an  open 
problem  posed  at  Eurocrypt’99  [16]. 
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Chapter  1 


Introduction 


Internet  applications,  such  as  online  games,  newscast,  stock  quotes,  multiparty 
conferences,  and  military  communications,  can  benefit  from  secure  multicast  com¬ 
munications.  In  most  of  these  applications,  users  typically  receive  identical  in¬ 
formation  from  a  single  or  multiple  senders.  Hence,  grouping  these  users  into  a 
single  multicast  group  and  providing  a  common  session  encryption  key  to  all  of 
them  will  reduce  the  number  of  message  units  to  be  encrypted  by  the  senders. 
Securing  group  communications  or  computations  leads  to  challenging  problems 
such  as  maintaining  communication  integrity  in  the  presence  of  group  member¬ 
ship  changes,  establishing  source  authentication,  and  minimizing  key  storage  size 
and  number  of  update  messages  at  the  senders  as  well  as  the  receivers. 

This  dissertation  addresses  the  key  generation  and  distribution  problems  asso¬ 
ciated  with  maintaining  communication  integrity  in  the  presence  of  membership 
changes.  We  consider  the  single  sender  -  multiple  receiver  model  of  the  multicast 
communications.  Source  authentication  is  not  addressed  in  this  dissertation. 
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1.1  Key  Distribution 


An  important  problem  in  preserving  communication  integrity  is  that  of  controlling 
membership  to  the  multicast  group  such  that  only  the  valid  or  the  authorized, 
legitimate  members  can  have  access  to  group  communications.  In  this  context, 
secure  communication  and  computation  is  achieved  by  providing  a  common  group 
key  to  all  the  valid  members  for  session  encryption,  and  updating  the  key  when 
there  is  a  need.  This  common  key  is  often  called  by  various  names  such  as  session 
key ,  traffic  encrypting  key  or  the  net  key  [10,  11]. 

The  key  distribution  and  update  scheme  should  be  able  to  prevent  any  set 
of  members  from  collaborating  or  colluding  and  obtaining  future  keys  or  keys 
assigned  to  other  members.  In  particular,  revoked  members  of  the  group  should 
not  be  able  to  collaborate  and  obtain  the  future  keys  of  the  multicast  group. 

The  problem  of  controlling  membership  to  the  multicast  group  is  reduced  to 
the  problem  of  maintaining  the  following  condition /invariant :  at  any  time  all 
the  valid  group  members  and  only  the  valid  group  members  have  access  to  the 
current  session  key  with  no  possible  collusion  from  non-members. 

A  modified  version  of  the  key  assignment  problem  is  to  find  key  distribution 
methods  that  satisfy  the  invariant  and  also  require  the  minimum  number  of  keys 
to  be  stored  and  updated  with  membership  changes. 

This  modified  problem  is  addressed  using  information  theory  concepts. 

1.2  Key  Generation 

Another  important  problem  in  preserving  communication  integrity  is  to  find 
methods  for  a  set  of  members  to  jointly  generate  keys  without  having  to  expose 
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their  individual  contributions  to  the  generation  of  group  keys. 

Most  of  the  currently  available  group  key  generation  schemes  fall  into  two 
categories.  They  either  generate  group  public  keys  with  the  help  of  a  trusted 
third  party  or  are  based  on  the  generalization  of  the  Diffie-Hellman  (DH)  tech¬ 
nique  for  group  keying.  (The  DH  keys  are  common  shared  keys).  The  general¬ 
ized  Diffie-Hellman  scheme,  which  has  been  extensively  used  in  the  recent  group 
communication  protocols,  involves  several  exponentiations  and  the  computations 
scale  linearly  as  a  function  of  the  group  size  N.  Both  of  these  methods  rely  on  as¬ 
sumed  cryptographic  hard  problems  -  performing  discrete  logarithm  or  factoring 
an  integer. 

We  present  a  key  generation  scheme  that  does  not  depend  on  the  computa¬ 
tional  difficulties  of  the  integer  factoring  or  on  discrete  logarithm,  but  instead 
makes  use  of  the  concept  of  a  one-time  pad.  We  provide  a  key  generation  scheme 
that  allows  the  key  generating  members  to  locally  compute  the  one-time  pads 
and  use  it  to  securely  exchange  their  individual  shares  without  exposing  them. 
The  padded  shares  are  combined  to  generate  the  padded  common  secret.  Our 
scheme  also  provides  a  method  to  compute  the  group  parameter  that  is  a  com¬ 
bination  of  all  the  pads,  and  can  be  used  to  remove  the  combined  padding  effect 
and  extract  the  common  secret.  If  the  key  generation  mechanism  can  provide 
uniformly  distributed  variables  over  an  interval  of  interest,  this  scheme  will  be 
resistant  to  attacks  from  any  individual  member  or  up  to  (N  —  2)  collaborating 
members.  An  advantage  of  our  scheme  is  that  it  can  be  used  for  generation  of 
group  shared  keys  as  well  as  public  keys. 
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1.3  Contributions 


This  dissertation  makes  the  following  technical  contributions: 

1.  It  defines  a  distributed  key  generation  scheme  that  allows  a  set  of  members 
to  contribute  to  the  common  key  generation  without  exposing  individual 
secrets.  The  scheme  allows  members  to  locally  compute  the  one-time  pads 
and  a  group  binding  parameter  that  removes  the  combined  effects  of  the 
padding  at  the  time  of  common  secret  construction.  This  has  the  advantage 
that  the  future  one-time  pads  need  not  be  pre-distributed  and  stored.  The 
scheme  can  be  used  for  generating  group  shared  keys,  or  public  keys  with 
suitable  modifications. 

2.  It  explains  how  to  use  basic  concepts  of  information  theory  to:  (a)  determine 
the  optimal  number  of  keys  allocated  to  a  member,  (b)  find  the  average 
key  length  that  can  be  supported,  (c)  interpret  the  weaknesses  of  current 
schemes,  and  (d)  determine  optimal  cluster  size  with  maximum  amount  of 
uncertainty  as  to  which  cluster  will  be  compromised  next. 

3.  It  defines  a  key  management  architecture  that  makes  use  of  the  key  gener¬ 
ation  and  distribution  schemes  mentioned  above. 

1.4  Dissertation  Organization 

The  second  chapter  reviews  the  background  work  and  identifies  the  requirements 
of  the  key  management  architecture  from  the  viewpoint  of  key  generation,  distri¬ 
bution,  and  rekeying.  The  third  chapter  presents  the  new  key  generation  scheme 
based  on  the  requirements  identified  in  the  second  chapter  and  its  analysis.  The 
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fourth  chapter  presents  the  notion  of  optimal  schemes  for  key  distribution.  The 
fifth  chapter  presents  a  clustering  strategy  based  on  maximum  uncertainty  of 
cluster  revocation  to  provide  an  optimal  key  allocation  problem  which  was  posed 
as  an  open  problem  at  Eurocrypt’99.  The  last  chapter  presents  some  of  the 
possible  future  research  directions. 
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Chapter  2 


Related  Work 


In  this  chapter,  we  present  the  key  distribution  and  generation  approaches  pro¬ 
posed  to  date  and  analyze  their  properties.  We  define  the  factors  that  influence 
the  design  of  a  key  management  scheme  and  then  identify  desirable  properties  of  a 
multicast  key  management  scheme.  This  enables  us  to  evaluate  the  strengths  and 
weaknesses  of  the  schemes  discussed  and  the  different  optimality  claims  made  by 
these  schemes.  Since  the  terminology  used  by  these  schemes  varies,  we  introduce 
a  common  terminology  and  the  associated  notation  to  provide  a  basis  for  scheme 
comparison. 


2.1  Factors  influencing  the  design  of  a  Key  Man¬ 
agement  Scheme 

The  design  of  a  key  management  scheme  is  influenced  by  the  following  factors: 

•  Heterogeneous  nature  of  the  group  membership  affects  the  possible  type 
of  encryption  algorithm  to  be  used,  and  the  length  of  the  key  that  can  be 
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supported  by  an  end  user. 


•  The  cost  of  setting  up  and  initializing  the  entire  system  parameters,  such 
as,  selection  of  the  Group  Controller  (GC),  group  announcement,  member 
join  and  initial  key  distribution. 

•  Administrative  policies,  such  as  those  defining  which  members  have  the 
authorization  to  generate  keys. 

•  Required  level  of  performance  of  parameters,  such  as  session  sustainability, 
and  key  generation  rates. 

•  Required  additional  external  support  mechanisms,  such  as  the  availability 
of  a  Certificate  Authority  (CA). 

2.1.1  Desirable  Properties  of  a  Multicast  Key  Manage¬ 
ment  Scheme 

In  addition  to  the  facts  mentioned  above,  a  multicast  key  management  scheme 
needs  to  exhibit  the  following  desirable  properties: 

1.  Ability  to  handle  membership  changes.  This  is  important  since  the  whole 
group  must  share  a  single  session  encryption  key.  The  communication  in¬ 
tegrity  in  the  presence  of  membership  changes  implies  the  ability  of  the 
group  to  update  the  session  key  and  distribute  it  to  the  valid  members  with 
possible  back  traffic  protection. 

2.  Ability  to  prevent  user  collusion.  This  is  important  since  a  subset  of  mem¬ 
bers  or  the  deleted  members  should  not  be  able  to  collaborate  and  construct 
the  keys  of  other  members  or  the  future  group  keys. 
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3.  The  ability  to  provide  scalability  in  terms  of  security  related  administration 
such  as  member  admission,  deletion,  key  revocation  and  updates.  This  is 
important  so  that  the  security  administration  does  not  become  the  perfor¬ 
mance  bottleneck. 

4.  Ability  to  provide  inter-domain  issues  related  to  security  such  as  security 
parameters  and  cryptographic  schemes  of  various  clusters.  This  is  impor¬ 
tant  since  some  of  the  members  may  belong  to  more  than  one  groups  and 
may  need  to  communicate  across  the  groups. 

2.1.2  Abstract  Parameters  and  the  Terminology  Used 

We  now  present  the  abstract  parameters  and  common  terminology  used  to  explain 
the  properties  of  various  published  secure  multicast  schemes. 

1.  The  set  of  N  receivers  (users)  in  the  single  sender  multiple  receiver  multicast 
group  is  denoted  by  M  =  {Mi,  M2,  ■  ■  ■ ,  MN}. 

2.  The  Group  Controller  or  the  Group  Center  (GC)  is  assumed  to  be  the 
sender  of  the  group  and  GC  £  M.  Hence,  the  GC  is  not  considered  as  a 
receiver. 

3.  The  Session  Key  is  denoted  by  SK.  It  is  also  called  the  Traffic  Encrypting 
Key  or  TEK  in  some  of  the  recent  work. 

4.  The  Key  Encrypting  Key  is  denoted  by  KEK. 

5.  Each  user  Mi  e  M  holds  a  set  of  keys  denoted  by  K ( Mi ) . 

6.  The  set  of  all  keys  used  by  the  group  is  denoted  by  /C.  We  note  SK  G  /C. 
Also  /C  =  UMieMK(Mi). 


7.  The  probability  of  member  Mt  being  revoked  is  denoted  by  p*. 

8.  The  Algebraic  expression  Hd  =  —  Y^iLi  Pi  log dPi  denotes  the  d  —  ary  entropy 
of  the  member  revocation  event. 

9.  We  say  members  Mi  and  Mj  can  collnde  and  compromise  member  Mi  if 
K(Mi )  C  A' (Mj)  U  K(Mj).  Hence,  a  key  assignment  free  of  compromise 
due  to  user  collusion  requires  K(M{)  %  U AT(Mj). 

10.  Encryption  of  a  message  m  by  key  K  is  denoted  by  {rri}  k 

11.  Transmission  of  an  encrypted  message  m  from  member  A  to  member  B, 
using  key  K,  is  denoted  by:  A  — y  B  : 

12.  We  will  denote  by  K  1  the  private  key  corresponding  to  the  public  key  K. 

Hence  the  public  key  pair  is  denoted  as  (AT,  AT-1). 

2.2  Summary  of  Multicast  Key  Management  Schemes 

We  first  summarize  the  multicast  key  management  schemes  that  provide  key 
distribution  functionality.  These  schemes  do  not  address  key  generation  or  group 
initialization.  We  then  review  schemes  that  describe  key  generation. 

2.2.1  Group  Key  Management  Protocol 

The  Group  Key  Management  Protocol  (GKMP)  in  [7,  8],  proposes  a  single  GC 
that  is  allowed  to  perform  all  the  security  related  administrative  tasks  including 
member  join,  deletion,  maintenance  of  ACL,  and  key  generation  and  distribution. 

The  GKMP  has  the  following  features: 
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1.  The  group  is  managed  by  a  single  group  controller  (GC). 

2.  The  group  uses  Group  Traffic  Encrypting  Key  (GTEK),  and  a  future  Group 
Key  Encrypting  Key  (GKEK). 

3.  The  Group  Key  Packet  (GKP)  generated  by  the  GC  at  update  step  n  is 
given  by  GKPn  =  {GTEKn,  GKEKn+1}. 

The  following  are  the  advantages  of  this  method: 

1.  A  single  encryption  can  update  the  keys  for  the  whole  group. 

2.  The  GC  has  information  about  the  entire  membership. 

3.  The  number  of  keys  to  be  stored  is  two,  the  possible  minimal  value  for  any 
scheme  without  authentication  requirements. 

The  following  are  the  disadvantages  of  the  method: 

1.  Since  all  the  members  share  a  single  key  encrypting  key  (and  session  key), 
failure  or  compromise  of  a  single  member  compromises  the  group  key  packet, 
and  hence  the  entire  future  group  communication.  This  forces  the  entire 
group  to  be  reinitialized. 

2.  Single  GC  becomes  a  performance  bottleneck  in  terms  of  security  related 
operations  since  every  join,  and  deletion  has  to  be  done  by  the  GC. 

3.  Since  GC  is  the  only  entity  permitted  to  generate  the  keys,  failure  or  com¬ 
promise  of  GC  will  prevent  proper  key  updates  as  needed. 
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2.2.2  Scalable  Key  Management  with  Core  Based  Trees 

In  an  attempt  to  support  scalability  in  terms  of  security  administration,  the 
Scalable  Multicast  Key  Distribution  scheme  associated  with  the  Core  Based  Trees 
(CBT)  was  proposed  by  Ballardie  [36].  The  following  are  the  properties  of  the 
CBT  based  key  management  scheme: 

1.  The  CBT  uses  a  single  GC  to  generate  the  session  key  and  the  key  encrypt¬ 
ing  key. 

2.  The  CBT  attains  scalability  in  terms  of  security  administration  by  explic¬ 
itly  allowing  any  valid  member  of  the  group  to  admit  new  members  and 
distribute  the  keys. 

The  CBT  has  the  following  drawbacks: 

1.  Since  the  CBT  proposes  to  distribute  a  single  key  encrypting  key  and  a  sin¬ 
gle  session  encrypting  key,  compromise  of  a  single  member  will  compromise 
these  two  keys,  and  compromise  the  future  group  communication. 

2.  The  scalability  of  CBT  comes  at  the  expense  of  having  to  assume  that 
all  the  group  members  can  be  unconditionally  (without  any  verification 
mechanism)  trusted  to  distribute  the  keys  only  to  the  valid  future  members. 

2.2.3  Cluster  Base  Protocols 

Since  the  GKMP  and  CBT  use  a  single  Group  Key  packet  for  the  entire  group, 
deletion  or  compromise  of  a  single  member  invalidates  the  entire  group  keys. 
In  [35,  9],  a  solution  to  this  problem  was  suggested  by  proposing  to  partition  the 
group  into  clusters.  The  following  are  the  features  of  these  schemes: 
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1.  A  given  group  is  partitioned  into  clusters. 

2.  Each  cluster  is  assigned  a  cluster  controller. 

3.  Each  cluster  has  its  own  cluster  session  encrypting  key  and  the  cluster  key 
encrypting  key. 

4.  Cluster  controller  generates  the  cluster  keys,  and  performs  security  admin¬ 
istration  for  the  cluster. 

An  advantage  of  this  scheme  is  that  the  impact  of  rekeying  is  limited  to  the 
individual  cluster. 

The  following  are  the  problems  associated  with  these  schemes: 

1.  Finding  intermediate  single  nodes/members  that  “can  be  unconditionally 
trusted”  to  perform  security  related  operations  for  cluster  control  may  be 
difficult.  Since  the  remote  monitoring  and  verification  of  a  single  node 
is  difficult,  there  have  been  several  recent  attempts  to  develop  “collective 
entity”  or  threshold  based  administration. 

2.  Each  cluster  uses  a  single  key  encrypting  key.  Hence,  a  single  member 
compromise  inside  the  cluster  will  compromise  the  future  keys  of  the  cluster 
as  in  the  case  of  GKMP,  and  CBT. 

The  schemes  summarized  so  far  use  a  common  future  key  encrypting  key. 
Though  this  approach  minimizes  the  storage  requirements,  compromise  of  a  single 
member  leads  to  compromise  of  all  the  future  keys.  Instead,  if  each  member  is 
given  a  unique  key  encrypting  key,  revocation  or  compromise  of  a  member  does 
not  affect  the  key  encrypting  keys  of  other  members.  However,  the  key  update 
will  require  0(N )  encryption  in  this  case.  A  desired  solution  is  a  tradeoff  between 
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these  two  extremes.  One  such  solution  is  based  on  the  rooted  trees  based  key 
distribution,  in  which  more  than  one  key  encrypting  key  is  distributed  to  every 
member. 

2.2.4  Tree  Based  Schemes  for  Key  Distribution 

The  first  attempt  at  using  a  rooted  tree  based  key  distribution  approach  for 
efficient  member  revocation  was  independently  proposed  in  [10]  and  [11].  Modi¬ 
fications  to  reduce  the  computational  and  key  storage  requirements  at  the  time 
of  key  updates  for  these  two  methods  were  later  presented  in  [17,  15,  14,  13].  We 
will  briefly  review  the  basic  concept  behind  the  rooted  tree  based  key  distribution 
below. 

2.2.5  Distribution  of  Keys  on  the  Tree 

As  a  concrete  illustration,  figure  2.1  presents  a  KEK  distribution  based  on  a 
binary  rooted  tree  for  eight  members.  In  this  approach,  each  leaf  of  the  tree 
represents  a  unique  member  of  the  group;  i.e.  the  leafs  are  in  one-to-one  cor¬ 
respondence  with  members.  Each  node  of  the  tree  represents  a  key.  The  set  of 
keys  along  the  path  from  the  root  to  a  particular  leaf  node  are  assigned  to  the 
member  represented  by  that  leaf  node.  For  example,  member  Mi  in  figure  2.1  is 
assigned  KEKs  { Ko ,  K-i.\  ■  Ki.i,  Ku.i  }- 

If  there  is  no  member  deletion/revocation  or  compromise,  the  common  KEK 
denoted  by  I\0  can  be  used  to  update  the  session  key  for  all  the  members.  The 
tree  based  structure  also  induces  a  natural  hierarchical  grouping  among  the  mem¬ 
bers.  By  logically  placing  the  members  appropriately,  the  GC  can  choose  the 
appropriate  keys  and  hence  selectively  update,  if  needed,  the  keys  of  the  group. 
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Root  key 


M|  M2  M3  M4  M5  M6  M7  M8  -«■  Members 

Figure  2.1:  The  Logical  Key  Tree  of  [10,  11,  13,  15,  17] 

For  example,  in  figure  2.1,  members  M5,  Me,  My,  and  M8  exclusively  share  the 
key  K-2.2-  The  GC  can  use  the  key  K2.2  to  selectively  communicate  with  mem¬ 
bers  M5,  Mq,  M7,  and  M8.  Hence,  the  local  grouping  of  the  members  and  the 
keys  shared  on  the  tree  may  be  decided  by  the  GC  based  on  application  specific 
needs.  In  order  to  be  able  to  selectively  disseminate  information  to  a  subset  of 
group  members,  the  GC  has  to  ensure  that  the  common  key  assigned  to  a  subset 
is  not  assigned  to  any  member  not  belonging  to  that  subset.  In  figure  2.1,  if  the 
group  controller  needs  to  update  the  key  K2.2,  it  can  do  so  by  first  generating 
a  new  version  of  K2.2,  and  then  performing  two  encryptions,  one  with  A' 13  and 
the  other  with  K1A.  Using  the  notation  {rn}x  to  denote  the  encryption  of  m 
with  key  K,  and  the  notation  A  — >  B  :  {rn}x  to  denote  the  secure  exchange  of 
message  m  from  A  to  B.  we  note  that  the  following  two  messages  are  needed  to 
update  key  K2.2  to  the  relevant  members  of  the  group. 

GC— >M5,M6:{K2.2}Kl.3 
GC  — »  M7,  M8  :  {K2.2}k1a 

Although  we  used  a  tree  with  uniform  depth  to  all  its  leaf  nodes,  this  is  not 
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necessary  in  general.  The  selection  of  uniform  depth  relates  to  the  maximum 
entropy  of  member  revocation  event  as  explained  in  chapter  4. 

2.2.6  Member  Revocation  in  Rooted  Trees 

Since  the  SK  and  the  root  key  are  common  to  all  the  members  in  the  multicast 
group,  they  have  to  be  invalidated  at  each  time  a  member  is  revoked.  Apart  from 
these  two  keys,  all  the  intermediate  KEKs  of  the  revoked  member  need  to  be 
invalidated.  In  the  event  there  is  bulk  member  revocation,  the  GC  has  to: 

•  Identify  all  the  invalid  keys, 

•  Find  the  minimal  number  of  valid  keys  that  need  to  be  used  to  transmit 
the  updated  keys. 

Member  Mi  in  figure  2.1  is  indexed  by  the  set  of  five  keys  {Kq,  K2. i,  Ada,  Aba}- 
Revoking  Mi  is  equivalent  to  invalidating  these  four  keys,  generating  four  new 
keys,  and  updating  the  keys  of  the  appropriate  valid  members.  When  Mi  is  re¬ 
voked,  the  following  key  updates  need  to  be  performed:  (a)  members  M5  —  Mg 
need  to  update  { Ko},  (b)  members  M3  —  M4  need  to  update  {Kq-  Aba},  and  (c) 
member  M2  needs  to  update  {Kq.  Ab  1 .  Ada}- 

Revocation  of  a  single  member  involves  0(logdN)  messages  to  update  log dN 
keys  on  the  rooted  d  —  ary  tree.  If  the  number  of  members  to  be  revoked  is  two 
or  more,  the  number  of  messages  may  be  further  minimized  depending  on  the  lo¬ 
cation  of  the  revoked  members.  In  order  to  further  reduce  the  number  of  message 
updates  under  bulk  member  removal,  the  index  of  the  valid  members  has  to  be 
considered  and  grouped  so  that  the  maximum  number  of  valid  members  share  a 
common  key.  Direct  computations  are  based  on  Boolean  function  minimization 
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techniques  and  are  not  computationally  efficient. 


2.3  Generation  of  the  Group  Keys 

We  noted  that  a  single  node  failure  at  GC  can  lead  to  termination  of  the  security 
related  operations  of  the  group.  We  also  noted  from  the  CBT,  and  IoLus  that 
finding  “trusted”  intermediate  nodes  may  be  a  problem  in  a  network.  Even  in 
the  case  of  the  rooted  trees,  single  node  GC  is  used  for  key  generation  which  may 
compromise  the  whole  system  if  the  GC  were  to  be  compromised.  In  our  early 
work  [22,  24],  we  presented  a  cluster  panel  based  key  generation  scheme.  The 
approach  presented  can  be  used  by  a  set  of  distributed  members  to  generate  a 
common  key.  In  the  context  of  multicast  key  management,  the  cluster  control 
panel  jointly  generates  the  common  keys  and  uses  them  directly  or  as  seeds 
for  generating  the  keys  on  the  trees.  We  present  the  group  Diffie-Hellman  (DH) 
approach  presented  by  [2]  which  does  not  require  a  trusted  third  party  for  key 
generation.  The  Group  RSA  is  also  possible  [26]  but  requires  a  trusted  third  party. 
Moreover,  the  group  RSA  involves  additional  testings  that  are  not  required  in  the 
group  Diffie-Hellman  Scheme. 

2.3.1  Group  Diffie-Hellman  Scheme 

The  joint  group  key  generation  can  lead  to  a  group  shared  key  or  a  group  public 
key.  In  the  event  that  the  generated  key  is  a  shared  key,  a  generalized  Diffie- 
Hellman  (DH)  approach  proposed  in  [2]  can  be  used.  If  the  desired  group  key 
is  to  be  a  public  key,  depending  on  whether  the  key  belongs  to  the  ElGamal  or 
RSA  type,  there  are  two  different  recent  proposals  that  allow  a  set  of  members 


16 


N 

number  of  key  generating  members 

i,  j,  1,  m 

key  generating  member  indices 

Mi 

key  generating  member  i 

q 

order  of  the  algebraic  group 

g 

generator  in  G 

K, 

secret  key  of  member  Mi 

n 

random  exponent  G  Z*,  chosen  by  member  Mi. 

K 

joint  key/secret  generated  by  N  members. 

Kij 

shared  key  between  members  Mi,  and  Mj. 

Table  2.1:  Notations  for  Group  DH  problem 

to  generate  the  joint  public  keys  with  the  assistance  of  an  information  theoretic 
helper.  In  many  applications  such  as  the  secure  multicast  protocols  proposed 
in  [9,  22],  it  is  not  always  possible  to  find  an  “information  theoretic  helper”. 
Another  distributed  joint  secret  generation  scheme  not  based  on  any  hardness 
problems  was  proposed  in  [37,  38].  Although  the  scheme  is  computationally 
efficient,  it  has  some  security  weakness  that  will  allow  two  or  more  members 
to  collaborate  and  obtain  the  contribution  of  individual  members.  We  briefly 
describe  each  of  these  methods  below. 

2.3.2  Group  Diffie-Hellman  Extension  Keys 

The  following  notations  and  assumptions  are  used  in  describing  the  group  DH 
problem.  These  notations  are  from  [2] ,  and  are  used  here  to  maintain  consistency 
with  [2]. 

All  arithmetic  operations  are  performed  in  the  group  G  which  is  a  cyclic 
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subgroup  of  prime  order  q  in  Z*,  with  p  =  Iq  +  1  for  some  l  G  AT.  We  first 
describe  the  simple  two-party  case  and  then  describe  the  multiparty  case. 

2.3.3  Two  Party  DH  Problem 

In  the  simplest  setup  consisting  of  two  members,  denoted  Mj  and  Mj,  a  solution 
to  the  problem  is  to  perform  the  Diffie  Heilman  secret  generation  as  follows: 
Members  Mj  and  Mj  agree  upon  the  group  and  a  generator  g.  Members  Mi  and 
Mj  choose  random  integers  a,  b,  such  that  1  <  a,b  <  q  —  1,  and  compute  ga  and 
gb.  Members  then  exchange  (message  exchange  is  kept  to  the  simplest  possible 
to  illustrate  the  concept) 

Mi  — *  Mj  :  ga 
Mj  — ►  Mi  :gb 

After  the  exchange,  each  member  can  independently  compute  gab  from  the 
message  received  from  the  other  member.  Assuming  that  performing  discrete 
logarithm  is  difficult,  if  a,  b  are  the  private  keys  of  members  Mi  and  Mj  then  the 
group  public  key  is  given  by  gab.  The  group,  however,  does  not  share  a  common 
private  key ,  and  the  authors  in  [2]  proposed  a  group  key  without  allowing  the 
members  to  share  the  common  private  key.  Every  member  performs  O (log  ab) 
“squaring”  to  compute  gab.  The  minimum  number  of  message  exchanges  needed 
for  key  establishment  is  two. 

2.3.4  Multiparty  Group  DH  Problem 

There  are  three  versions  of  the  multiparty  group  DH  key  extensions  available 
in  [2],  We  will  describe  the  basic  one  denoted  Generalized  DH.l  (GDH.l).  All 
three  algorithms  consist  of  two  steps  called  up-flow  and  down-flow.  In  the  up-flow 
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stage  members  collect  the  contributions  from  other  members  and  propagate  to 
the  next  highest  indexed  member  with  modification  in  message  sequence.  The 
message  exchange  for  the  up-flow  is  given  by:  Mt  — y  Mi+1  : 

For  example,  member  M5  receives  {gai ,  gaia2 1  gai“2a3  ga1a.2a.3a4,}  anc[  forwards 
{gai  i  gaia2 ,  •  •  • ,  gaia 2a3a4as }  to  member  Mg.  In  the  up-flow  procedure,  each  member 
needs  to  perform  one  exponentiation.  From  the  indices  of  the  message,  member 
Mi  sends  1  messages  to  member  Mi+l .  The  last  member  of  the  group,  Mjy 
computes  the  group  key  as  K  =  gr'ia2a3"'a,v . 

At  this  stage,  member  MN  can  broadcast  the  session  key  value  to  all  the 
members.  Instead  of  broadcasting  the  K  to  all  the  members,  in  order  to  provide 
the  authentication  part,  the  key  scheme  in  [2]  has  the  down-flow  part  as  follows: 
MN_i  — >  MN_i+i  : 

In  the  down-flow  stage  i  exponentiations  are  performed  by  Mi.  One  of  these 
enables  Mi  to  compute  K,  and  the  rest  of  the  exponentiations  ensure  that  the  rest 
of  the  group  members  eventually  receive  appropriate  shares.  In  order  to  illustrate 
this  case,  we  assume  that  the  group  size  IV  =  6.  In  this  example,  the  last  member 
Me  sends  M5  the  message  { gae,  gaia6,  gai 02(16  •  •  • ,  gaia2a3a4a6  j.  Using  it 

computes  (gaia2“3a4a5)a6  _  ga1a2a3a4a5a6 .  j\/fonfoer  raises  the  rest  of  the  terms 
to  the  power  <25  and  distributes  to  M4.  This  process  is  repeated  by  each  member 
Mi(l  <  i  <  N )  with  appropriate  modifications  until  Mi  computes  the  session 
key.  There  are  0(N2)  messages  and  exponentiations  for  such  a  process. 

From  the  computational  steps  we  note  that  the  group  DH  is  useful  in  cases 
where  the  group  symmetric  keys  are  generated  or  when  the  group  public  keys, 
with  no  member  having  the  whole  of  the  group  private  keys,  are  to  be  generated. 
It  was  noted  in  [2]  that  the  generation  of  group  ElGamal  keys  with  all  the  mem- 
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bers  contributing  without  hiding  the  secrets  is  not  feasible  in  this  setup.  In  order 
to  provide  a  common  private  key  for  the  generated  public  key,  members  have  to 
add  the  individual  private  keys. 

2.3.5  Generating  Group  ElGamal  Keys 

In  Yung  [27],  each  key  generating  member  was  associated  with  an  individual 
ElGamal  public  key.  The  private  keys  of  all  the  members  were  added  to  generate 
the  group  private  key.  The  group  public  key  is  then  the  product  of  the  individual 
public  keys.  Computational  steps  are  summarized  below. 

1.  The  Mi  randomly  chooses  1  <  a,  <  q  —  1  and  computes  the  public  key  g''. 

2.  Member  Mi  sends  a*  to  other  members  as  Mi  — )•  Mj(l  <  j  <  TV;  j  ^  i)  :  a*. 

3.  Every  member  computes  the  group  private  key  as 

N 

a  —  y~]  apnod  p.  (2.1) 

i= 1 

4.  The  group  public  key  is  the  product  of  the  individual  public  keys  modulo 
p.  If  we  denote  the  group  public  key  by  K,  it  is  given  by 

K  =  n<r=g^«  (2.2) 

i= 1 

Although  this  method  has  less  computations,  it  exposes  the  individual  private 
keys  of  the  key  generating  members. 
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2.4  A  Distributed  Scheme  without  a  Trusted 


Third  Party 

In  [37,  38],  the  following  solution  for  contributed  joint  secret  generation  was 
proposed.  We  present  the  approach  in  an  algorithmic  manner. 

1.  Members  are  indexed  and  every  member  knows  the  left  or  the  right  neighbor 
of  it. 

2.  Every  member  has  generated  its  own  secret  random  integer  using  an  ap¬ 
propriate  method. 

3.  The  member  M\  generates  a  random  number  a  within  the  range,  and  adds 
his/her  secret  71  to  it,  and  securely  communicates  hi  =  (a  +  71)  to  the 
second  member.  Mi  — >  M2  :  {a  +  hi}. 

4.  For  i  —  2,  •  •  • ,  n  —  1 

member  Mi  adds  its  secret  7*  to  the  quantity  hj_  1  =  a  +  X)}= 1  lj,  received 
from  member  Mj_i  and  securely  communicates  h*  =  a  +  Y^)=i  lj  to  member 
Mi+ 1. 

5.  Member  n  receives  the  quantity  h,  securely  communicated  by  member  Mn_  1, 
adds  its  secret  yn  and  securely  communicates  the  result  Sn  =  a  +  Yfj=\  7 j 
to  the  hrst  member. 

6.  First  member  removes  the  value  a  and  extracts  the  common  secret 
0  =  ££=i7i- 

Figure  2.2  presents  a  view  of  the  distributed  computations  for  group  secret 
generation.  The  GI  (assumed  to  be  a  member  and  denoted  here  by  the  index  1 
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Figure  2.2:  Distributed  secret  generation  algorithm 

shown  in  Figure  2.2)  can  perform  the  following  steps  to  generate  the  joint  secret 
of  the  group: 

1.  Generate  two  random  integers  7,  071  and  compute  di  =  (7  +  071),  and 
send  the  result  to  member  M2  (the  “next”  member  in  the  group)  as 

Mi  *  M2:  {{T^/JAVW 

2.  The  following  steps  are  repeated  for  %  =  2, . . . ,  n  —  1: 

(a)  Member  Mi  generates  a  random  integer  cq 7 

(b)  Member  i  then  operates  on  the  quantity  it  received  from  member  Mt_\ 

as  Si  =  1  +  07 1). 

(c)  Member  Mi  then  sends  the  result  to  member  M*+ 1  as 
Mi  — *  Mi+ 1:  {{Ti,  /,  1, 5i}K-i}Ki+1- 
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3.  Eventually,  the  group  member  Mn  receives  dn_i  and  then  generates  a  uniformly- 

distributed  random  number  aU) i,  performs  Sn  =  +  anj),  and  then 

securely  sends  it  to  the  initiating  member  Mi  as 

Mn  — »  Mi.  {{Tn, /,  1,  (5n}K-i}Ay  • 

4.  The  initiator  (Mi)  then  decrypts  it  and  performs 

$i  =  (— 7  +  $n)  (2-3) 

and  sends  6i  to  each  member  i,  for  i  =  2, . . .  n,  as 
Mi  — y  Mi  :  {{TiJ,l,6i}K-i}Kr 

If  there  is  no  member  collaboration,  this  approach  prevents  a  member  from 
knowing  the  individual  secret  of  any  other  member.  The  computations  scale  as 
0(N )  with  N  being  the  group  size.  We  now  show  that  this  scheme  reveals  the 
secret  of  any  one  member  under  the  following  collaboration  of  any  two  members. 
The  proposed  attack  works  even  for  the  boundary  indices  if  we  consider  the 
member  indices  as  forming  a  physical  ring,  thus  providing  a  right  and  left  neighbor 
for  any  given  member. 

2.4.1  A  user  Collusion  Problem  of  the  Scheme 

Let  Mi  and  Ml+2  be  collaborators.  After  computing  the  quantity  6,  =  o:  + 
Xq=i7 j,  member  Mi  securely  communicates  it  to  member  Mi+l .  It  also  securely 
communicates  the  quantity  (without  the  knowledge  of  member  Mi+i)  to  member 
Ml+2. 

The  member  Mi+1  computes  the  secret  8i+i  =  a  +  lj  and  securely  com¬ 
municates  it  to  member  Ml+2.  Using  these  two  quantities,  member  M,+2  can 
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extract  the  secret  of  member  Ml+\  in  a  straight  forward  manner.  Hence,  the 
individual  secret  is  not  guarded  against  collusion  in  this  approach. 


2.4.2  Summary  of  the  Distributed  Key  Generation  Schemes 

From  the  key  generation  schemes,  we  note  that  the  Group  Diffie-Hellman  method 
provides  resistance  to  user  collusion  but  can  not  provide  public  keys.  On  the 
other  hand,  the  scheme  in  [37,  38]  can  be  used  for  shared  keys  or  public  keys. 
The  scheme  in  [37,  38]  however  suffers  from  user  collusion. 

In  the  next  chapter,  we  provide  a  new  key  generation  scheme  that  can  be  used 
to  generate  a  joint  secret  while  resisting  user  collusion.  After  initialization,  our 
approach  can  be  combined  with  the  scheme  by  Koblitz  [37,  38]  to  improve  the 
performance.  We  do  not  require  exponentiation  as  in  the  group  Diffie-Hellman 
method. 
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Chapter  3 


Joint  Key  Generation 


We  present  a  set  of  possible  distributed  key  generation  schemes  that  can  be  used 
by  the  control  panels  introduced  in  the  previous  section.  In  doing  so,  we  first 
present  the  existing  feasible  schemes  and  then  present  an  approach  that  can  be 
thought  of  as  generalization  of  the  one-time  pad  techniques.  We  note  that  the 
scheme  proposed  doesn’t  depend  on  any  property  of  secure  multicast  and  hence 
can  be  used  in  other  applications  which  require  joint  secret  generation  as  well. 

As  a  reminder,  we  note  that  the  key  management  proposals  in  [9,  36]  lacked  a 
mechanism  to  select,  and  allow  intermediate  nodes  to  perform  key  generation  and 
distribution.  This  chapter  addresses  the  issue  of  selecting  a  set  of  intermediate 
nodes  to  jointly  perform  the  key  generation  for  the  group.  Our  procedure  admits 
both  shared  key  and  public  key  generation. 

The  key  generating  group  consists  of  N  members  who  are  assumed  to  be  mu¬ 
tually  suspicious.  Each  member  is  provided  with  group  initialization  parameters 
such  as  individual  pad  and  group  binding  parameter.  A  member  generates  its 
share  of  the  secret  which  we  call  Fractional  Key  (FK),  hides  it  using  the  pad, 
securely  exchanges  it  with  the  rest  of  the  members  and  combines  shares  of  all 


25 


the  members  to  generate  the  hidden  joint  secret.  The  group  is  also  parameter¬ 
ized  using  a  group  binding  parameter  that  can  be  used  to  remove  the  combined 
effect  of  all  the  pads,  thus  revealing  the  joint  secret  to  the  members  possessing 
the  hidden  joint  secret.  In  our  approach,  we  assume  that  there  is  a  trusted  third 
party,  such  as  the  group  initiator,  that  will  select  and  initialize  the  group  key 
generation  procedure.  We  now  present  our  scheme  for  allowing  a  set  of  specific 
members  to  generate  the  joint  keys. 

3.1  Assumptions 

The  following  is  a  list  of  the  underlying  assumptions  of  our  proposed  scheme: 

•  There  exists  a  binary  operation  ©  that  operates  on  the  set  S  of  elements 
generating  the  secret  such  that  S'  ©  S'  »  S. 

•  The  shared  keys  are  generated  by  a  fixed  number  of  participants  n. 

•  A  mechanism  exists  for  certifying  the  members  participating  in  the  key 
generation  procedure,  for  securely  exchanging  the  quantities  required  in 
the  algorithm  and  for  authenticating  the  source  of  these  quantities. 

•  Every  member  can  generate  uniformly  distributed,  independent  random 
numbers  in  a  given  range. 

3.2  Notations  Used 

The  following  notations  are  used  to  describe  the  different  quantities  used  in  the 
proposed  method: 
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a.ij\  The  one-time  pad  of  the  ith  member  at  the  jth  secret  update  iteration. 


Of  The  pad  binding  parameter  at  the  jth  secret  update  iteration. 

FKj  f.  The  fractional  key  of  the  ith  member  at  the  jth  secret  update  iteration. 

HFKi  f  The  hidden  FK%  ]  of  the  ith  member  at  the  jth  secret  update  iteration. 

SKf.  The  group  shared  key  at  the  jth  key  update  instance. 

A  — y  B  :  X:  Principal  A  sends  principal  B  a  message  X. 

Given  the  above  listed  assumptions,  the  joint  secret  generation  scheme  consists 
of  the  following  major  parts: 

1.  Initialization:  distribution  of  initial  pad  and  binding  parameters. 

2.  Generation  of  the  common  shared  secret  using  the  hidden  fractional  keys 
of  individual  members. 


3.3  Initialization 

The  group  initiator  chooses  n  uniformly  distributed,  mutually  independent  ran¬ 
dom  numbers  (initial  pads  of  members)  {cqo}"=o-  ^  also  chooses  =  Z)”=o  ai,o- 
A  member  i  is  distributed  a  unique  initial  pad  oyo,  and  the  initial  group  binding 
parameter  0o. 

3.4  Description  of  the  Computational  Steps 

Figure  3.2  represents  the  symbolic  computation  of  the  proposed  method  at  secret 
update  step  j. 
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Figure  3.1:  Iteration  and  mappings  of  the  key  generation  algorithm 

1.  At  the  time  of  initialization,  n  members  are  selected  (depending  on  an 
application  specific  procedure)  and  given  initial  pads  denoted  by 

a^i ;  1  <  i  <  n  such  that 

op,  1  ©  02,1  ©  •  •  •  ©  on,i  =  9\.  (3.1) 

Here,  ©  is  the  binary  operation  defined  over  the  set  of  valid  keys.  For 
example,  one  possible  selection  is  to  set  ©  to  be  modulo  p  with  a  large 
prime  p. 

2.  In  the  first  iteration  step,  every  member  i  uniformly  picks  a  value  FKn 
from  the  set  S  of  valid  individual  shares,  and  generates  its  hidden  share  as 
HFKii  =  FKi  i  ©  cij  !.  These  shares  are  then  securely  communicated  to 
all  other  members. 

3.  Every  member  i  locally  computes 

n  n 

J2®HFKiA  =  1®FKitl)  (3.2) 

i= 1  i= 1 

—  Ai^i  ©  02  (3. 3) 

with 

n 

d2  =  J2®FKlA  (3.4) 

i= 1 
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and  \\0y  is  the  result  of  operation  ©  performed  on  0 i,  A  times.  Especially, 
we  note  that  Ai  need  not  be  a  scalar  (i.e.  need  not  belong  to  the  same  held 
or  ring  as  a^j  or  0.  This  is  essential  in  applying  our  method  to  Elliptic 
curves) . 

4.  Every  member  then  locally  computes  the  new  value  of  the  group  shared 
secret  02  by  removing  the  effect  of  the  initial  shared  secret  value 

02  —  Ai$i  ©  02  ©  fi±9i  (3-5) 

(where  p  is  the  appropriate  inverse  of  A.  For  example,  if  ©  is  addition 
operation  under  modulo  p  where  p  is  a  large  prime,  then  p  =  p  —  A.) 

5.  Every  member  i  locally  computes  its  new  pad  as 

W,2  =  02  ©  72^,2  (3-6) 

essentially  removing  the  effect  of  its  own  share. 

6.  At  the  share  update  step  j  ,  the  procedure  is: 

•  generate  new  individual  shares  FK^j 

•  combine  it  with  the  individual  dynamic  pad  aUJ  to  generate  II FKr  ] 

•  exchange  HFK’s  of  all  the  members  securely 

•  compute  the  new  shared  secret  9j+ 1  —  ^j9j  ©  9j+ 1  ©  PjOj  with  p  is  the 
appropriate  inverse  of  A. 

•  compute  the  new  individual  pad  oyJ+i  =  9j+ 1  ©  'fj+iFKij+i. 

This  summarizes  the  computational  steps  of  the  proposed  scheme.  We  now 
identify  possible  structures  that  are  relevant  to  this  computational  scheme. 
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3.5  Necessary  Algebraic  Structures 


From  the  brief  description  of  our  proposed  scheme,  we  note  that  the  following 
properties  are  needed  for  the  operator  ©  along  with  the  set  S: 

•  Combination  of  the  pads  along  with  the  individual  shares  should  lead  to 
HFKs  that  are  contained  in  the  set  S,  else  the  shared  key  SK  need  not 
belong  to  set  S.  Hence,  the  operation  ©  on  set  S  is  algebraically  closed. 

•  Even  if  the  members  combine  the  HFK’s  in  a  specified  order,  independent 
of  which  HFKs  in  the  order  are  processed  first,  the  result  of  the  combination 
should  be  same.  Hence,  the  operator  ©  needs  to  be  associative.  For  example 

(HFKij  ©  HFK2J )  ©  HFKzj  =  HFKhj  ©  ( HFK2J  ©  HFK3J )  (3.7) 

•  In  order  to  guarantee  freshness,  members  need  to  be  able  to  separate  the 
values  of  the  previous  and  new  shared  secret,  and  operator  ©  also  needs 
to  be  commutative.  This  means  that  the  expression 


(op j  ©  FKij)  ©  ( 0.2, j  ©  FI\2j)  ©  •  •  •  ( an,j  ©  FSnj)  (3-8) 
can  be  separated  and  written  as 

(opj  ©  ol 2j  •  •  •  ©  (xn,j)  ©  (FSij  ©  FS2j  ■  ■  ■  F Snj)  =  A jdj  ©  Oj+i-  (3.9) 

•  Since  combining  HFKs  leads  to  the  hidden  shared  key  value  A  jdj  ©  9j+i, 
we  need  to  End  the  inverse  of  A 9j  to  remove  the  effect  of  the  previous  key 
Oj.  If  elements  FKl]  are  uniformly  picked  from  set  S,  then  the  value  of  (i, 
will  be  uniformly  distributed  and  hence  6j  can  take  any  value  from  the  set 
S.  As  a  result,  every  element  in  the  set  S  has  an  inverse  with  respect  to 
the  operation  ©. 
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It  is  important  to  note  that  if  the  removal  of  the  previous  03  is  not  required, 
then  the  inverse  is  not  needed.  If  the  elements  do  not  possess  (have)  the  as¬ 
sociative  property  under  ©,  the  minimal  necessary  structure  is  that  the  set  S 
along  with  the  operator  ©  is  groupoid.  If  associativity  is  allowed,  the  semigroup 
structure  is  enough. 

The  minimal  necessary  algebraic  structure  that  allows  associativity,  commu¬ 
tativity  and  existence  of  an  inverse  for  all  given  elements  is  a  commutative  group. 
One  immediate  example  is  a  group  of  prime  order  which  is  widely  used  in  cryp¬ 
tosystems. 

Using  the  approach  presented  above,  we  present  a  group  shared  key  generation 
scheme,  and  a  group  ElGamal  public  key  scheme. 


3.6  Generation  of  Group  Shared  Key 

The  computational  grid  diagram  for  this  method  is  the  same  as  before,  and  is 
shown  below  with  slight  modifications. 

The  key  generation  algorithm  is  an  iterative  process  depicted  in  Figure  3.2.  Each 
iteration  j  requires  as  input  (indicated  as  step  (0)  in  the  figure)  a  set  of  one-time 
pads  Oiij,  i  =  1 ,n,  and  the  binding  parameter  6j,  which  are  obtained  from 
the  initialization  algorithm  for  iteration  j  —  1,  and  from  the  preceding  iterations 
for  j  >  1. 

The  iterative  key  generation  algorithm  consists  of  the  following  steps  (l)-(5): 

1.  For  i  =  1  a  member  i  generates  a  cryptographically- secure  random 

number  FKi  y 

2.  For  i  =  1, . . . ,  n,  a  member  i  generates  a  quantity  II FKj  ;]  =  ahJ  ©  FKi  y 
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Figure  3.2:  Iteration  and  mappings  of  the  key  generation  algorithm 

and  all  the  members  securely  exchange  the  HFKs  as  V  1  <  l,  m  <  n,  l  7^  m, 
l  m:  {{HFK,j}Kr,}K„. 

3.  Once  the  exchange  is  complete,  each  member  computes  the  new  group 
parameter  0J+l  as 

0j+ 1  =  A Bj  ©  HFK\j  ©  HFK2j  ©  •  •  •  ©  HFKnJ. 

=>  9j+ 1  =  FKl  :j  ©  FK2  j  ©  •  •  ■  FKn  ]. 

4.  If  the  resulting  group  parameter  9J+1  is  cryptographically-insecure  for  a 
particular  application,  all  members  can  repeat  steps  (1)  -  (3)  creating  a 
new  high  quality  group  parameter  9j+1. 

5.  For  i  =  1, . . . ,  n,  a  member  i  computes  cqj+i  =  9j+ 1  ©  FKl  v  and  SKj  = 
f(9j+ 1)  where  /(•)  is  a  pseudo  random  function. 


3.7  Generation  of  the  Group  Elgamal  Keys  over 


We  assume  that  all  the  members  agree  on  prime  p,  and  generator  g. 

The  iterative  key  generation  algorithm  consists  of  the  following  steps  (l)-(5): 
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Figure  3.3:  Iteration  and  mappings  of  the  key  generation  algorithm 

1.  For  i  =  1  a  member  i  randomly  picks  up  a  number  F  K,j  with 

0  <  FKij  <  p  —  2  and  generates  gFKi’j .  The  public  key  is  (p,  g1  gFKl-:i). 
The  private  key  is  FKtJ. 

2.  All  the  members  publish  their  public  key  (p,  g,  gFKi’j).  This  prevents  mem¬ 
bers  from  introducing  any  bias  the  group  private  key  later. 

3.  For  i  =  1, . . . ,  n,  a  member  i  generates  a  quantity 

HFKj  j  =  (oijj  +  FKij )  modp,  and  then  all  members  securely  exchange 
the  HFKs  as 
V  1  <  l,  m  <  n,  l  ^  m, 
l  — >  m:  { { HFKi  j } FK-i  }FKmtj^- 

4.  Once  the  exchange  is  complete,  each  member  computes  the  0]+i  as 

6j+ 1  =  ((p  —  2)6 j  +  J2]Zi  HFKij)  mod  (p  —  1).  The  group  public  key  is 

=  n  ti9FKiF 

5.  If  the  resulting  group  key  pair  is  cryptographically-insecure  for  a  particular 
application,  all  members  can  repeat  steps  (1)  -  (3)  creating  a  new  high 
quality  key  pair. 

6.  For  i  =  1, . . . ,  n,  a  member  i  computes  the  iteration  update  as 
oiij+ 1  =  {9j+ 1  +  FKi:j)modp. 
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The  steps  (1)  -  (5)  present  the  computational  steps  for  generating  the  keys  at 
each  update.  At  the  end  of  step  (1),  a  member  %  generates  the  jth  update  of  its 
ElGamal  public  key  pair.  Member  i  then  hides  the  key  in  step  (2)  by  generating  a 
HFKij  and  sends  it  to  the  other  participating  members.  The  public/private  key 
pairs  used  in  the  exchanges  of  iteration  j  are  the  individual  ElGamal  fractional 
key  pairs  of  iteration  j  —  1  At  this  stage,  every  member  can  independently  combine 
the  shares  of  all  the  key  generating  members  and  derive  the  group  private  key  0r 
If  the  members  decide  not  to  generate  any  public  key  pair,  then  they  can  use  this 
as  a  group  secret  shared  key.  However,  if  the  group  decides  to  generate  a  group 
ElGamal  public  key  pair,  the  members  then  obtain  the  value  of  9j  mod  (p  —  1)  as 
the  private  key.  The  corresponding  public  key  is  given  by  geK 

We  note  that  the  key  generation  procedure  described  above  combines  the 
following  different  features: 

•  For  a  single  member,  generation  of  the  public  key  pair  uses  the  standard 
ElGamal  method  which  is  based  on  the  assumption  that  it  is  difficult  to 
perform  the  discrete  logarithm  function. 

•  Generation  of  the  HFK’s  is  based  on  the  result  that  if  two  numbers  are 
generated  uniformly  and  independently,  identically  distributed  (iid),  then 
given  a  non-trivial  function  of  them,  it  is  difficult  to  derive  the  individual 
components. 

•  Generation  of  the  group  public  key  is  a  generalized  ElGamal  public  key  sys¬ 
tem.  The  main  result  here  is  that  although  every  member  can  individually 
generate  the  same  group  public  key  pair,  they  don’t  have  the  direct  access 
each  other’s  private  keys. 
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•  Even  if  an  attacker  breaks  the  group  private  key  (via  traffic  analysis)  and, 
hence,  the  group  parameter  9j  for  the  next  iteration,  the  attacker  still  has 
to  break  another  (n  —  1)  ElGamal  keys  to  obtain  the  messages  exchanged 
in  the  next  key  update.  From  the  computational  point  of  view,  this  implies 
the  group  key  length  can  be  made  smaller  if  the  message  is  relevant  for  only 
a  limited  time  frame. 

•  The  time- varying  pad  otij+ 1  is  computed  such  that,  for  an  outsider,  obtain¬ 
ing  o:,J+1  is  as  hard  as  obtaining  the  actual  key  FKj  at  any  given  time. 

•  Although  all  the  members  each  have  a  HFKtJ1  obtaining  the  FKt  J  involves 
brute  force  search.  Hence,  even  if  a  fellow  member  becomes  an  attacker, 
that  rogue  member  has  the  same  amount  of  computational  burden  in  ob¬ 
taining  the  FK  as  a  crypto  analyst;  i.e.  trust  is  not  unconditional. 

•  By  the  same  argument  above,  we  note  that  only  the  member  i  can  compute 
aij+ 1-  Everyone  else  has  to  perform  a  brute  force  search  before  finding 
ctij+ 1,  which  is  time- varying. 

•  Even  if  an  outsider  captures  and  decrypts  a  packet  and  obtains  the  HFK 
of  a  single  participating  member,  the  attacker  is  faced  with  the  following 
challenges: 

1.  Having  a  HFK  does  not  give  any  advantage  to  the  attacker  in  decrypt¬ 
ing  any  message  encrypted  with  a  gdj . 

2.  The  outside  attacker  has  to  find  the  corresponding  remaining  (n  —  1) 
HFKs.  Such  is  the  case  since  the  keys  are  transported  in  a  secure 
manner.  Hence,  only  the  participating  members  have  the  direct  access 
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to  the  HFKs.  For  an  outsider,  it  may  be  much  harder  to  simultaneously 
attack  and  obtain  these  (n  —  1)  parts  that  have  limited  lifetime. 

•  FK’s,  as  well  as  the  GK,  are  checked  for  standard  weaknesses  before  being 
used. 


3.8  Recovering  the  Fractional  Key  of  a  Single 
Node 

The  following  steps  are  involved  in  recovery  of  the  FK%j  and  of  the  node  failed 
i,  where  j  represents  the  iteration  number  in  which  the  node  was  compromised 
or  failed. 

1.  Any  one  FK-generating  member — called  the  Recovery  Initiator  (RI) — must 
initiate  recovery  and  give  the  HFK  of  the  failed  node  i  to  the  newly-elected 
node  i  as 

RI  >  i  '■  { { RFKij } FK-j  _ } FKij  • 

2.  The  RI  must  also  give  the  newly-elected  node  i  the  current  Qt  as 

RI  *  :  {{Qj} FK~j ^FKij- 

3.  Using  the  same  algorithm  as  is  used  for  distributed  initialization  only  with 
aLj  replaced  with  the  RI  initiates  a  distributed  process  whereby  member 
l  is  given  two  random  numbers  (7 ,$)  as  in  the  initialization  with  7  = 
EISAmodp. 

4.  For  l  =  1, . . .  ,n—  1,  each  node  l  then  computes  a  modified  hidden  fractional 
key  HFKij  =  (ff  +  FK^j)  modp  and  hands  it  to  the  newly-elected  member 
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i  as  l  — >  i  :  {{HFKi  j}FK-i}FK 

l,i 

5.  Node  i  then  combines  all  of  the  modified  HFKs  and  recovers  the  private  key 

FKij  using  the  operation  FK~%3  =  {9j  [p—  1)(7  —  X)i= 1  HFKij)}modp. 

6.  Node  i  then  extracts  the  pad  a.%j  using  the  operation 

=  iej  +  (P  ~  !)(7 FKij))  mod p. 

We  note  that  the  recovered  values  of  FlifJ  and  a^j  are  unique.  Once  the 
new  node  recovers  the  fractional  key  of  the  compromised  node,  it  can  inform  the 
other  contributing  members  to  update  the  iteration  number  j  to  j  +  1,  and  then 
all  members  can  execute  the  key  generation  algorithm.  Note  that  even  though 
the  newly-elected  member  recovers  the  compromised  fractional  key  and  pad,  the 
next  key  generation  operation  of  the  new  node  does  not  use  the  compromised 
key  or  pad.  Hence,  even  if  the  attacker  possesses  the  fractional  key  or  pad  at 
iteration  j,  it  does  not  allow  the  attacker  to  obtain  the  future  fractional  keys  or 
pads  without  any  computation. 

Although  n  —  3  can  generate  the  keys,  if  a  single  member  exposes  its  se¬ 
cret,  the  remaining  two  members  can  compute  each  others  pads  as  follows,  thus 
breaking  the  system.  Hence,  four  is  the  minimum  necessary  member  size  of  this 
procedure.  This  is  summarized  as 

Lemma  3.1:  Independent  of  how  non-trivial  the  bit- length  of  the  key  is, 
operating  with  n  —  3,  a  FA  can  invalidate  the  system’s  zero  knowledge  proof 
capability  within  the  group. 

Proof:  Assume  that  the  time  instant  at  which  one  member  i  (i  =  1  or  2 
or  3)  becomes  a  rogue  is  j .  At  this  time  the  members  have  values  of  oqj  = 
( HFK2)j  +  HFK:i  j)  modp,  a2q  =  (HFK3j  +  HFK^f)  mod p,  a3j  =  (HFKl  3  + 
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II F K‘),j)  modp.  Every  member  also  has  access  to  the  current  9j  and  their  own 
FKij  ( l  =  1,  2,  3).  At  this  stage,  obtaining  the  a  component  of  any  other 
member  is  as  computationally  intensive  as  an  outside  attacker  trying  to  obtain  9r 
However,  if  a  member,  say  i  —  1,  is  compromised  and  releases  its  secret  cxi.j,  then 
each  of  the  other  members  can  use  this  and  compute  FKi  j  =  (a ij  +  9j)  rnodp. 
Since  the  9j  =  {FKi  j  +  FK2j  +  FK?J  j)  modp,  each  member  can  now  compute 
the  other  member’s  FK  as  well. 


3.9  Proofs  of  Computational  Security 

In  this  section,  we  will  show  that  the  given  scheme  is  protected  from  the  external 
threat  of  traffic  analysis.  In  doing  the  analysis  we  will  assume  that  the  number 
of  key  generating  members  is  even.  We  also  show  that  given  the  HFK  of  all 
the  members  involved  in  key  generation,  the  best  thing  a  crypto  analyst  can  do 
is  to  guess  the  random  number  arbitrarily  (if  the  random  variables  are  chosen 
uniformly).  We  also  present  a  measure  of  departure  from  the  ideal  case  in  terms 
of  mutual  information. 


3.10  Mutual  Information  between  the  FK  and 
HFK 

In  the  scheme  described  above,  we  note  that  at  each  time  instance  j,  a  member  i 
first  generates  a  FKr  J  and  performs  modulo  addition  of  it  with  the  time  varying 
pad  cxtJ  to  generate  a  II FKiy  We  note  that  every  member  generates  its  FKL  J 
using  a  random  number  generator  that  outputs  iid  random  variables.  Hence: 
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•  By  assumption  FKUJ's  are  mutually  independent.  Moreover,  the  FKt  J's 
at  different  time  updates  are  also  independent,  i.e. 

I(FKh]  A  FKhm)  =  H(FKid)  -  H(FKijj\FKltm)  =  0  (3.10) 

where  (i,  j )  ^  (l,  m). 

•  The  time  varying  pad  is  given  by 

n 

ai,j  =  SKj-i  ©  FKj  j_i  =  y~)  (3-11) 

1=1 

Hence,  aitJ  is  independent  of  FKl:)_{.  and  FKl}  i.e.  the  pad  of  member  i 
at  time  update  j  is  independent  of  all  FK’s  of  that  member  which  implies 
A  FKiti)  =  )  -  H(ahJ\FKhi)  =  0,  V/. 

•  Since  the  pad  at,j  of  a  member  j  is  a  function  of  the  FKs  of  the  other  n—  1 

key  generating  members  at  time  update  instance  i  —  1,  and  since  all  the 
FKs  are  iid,  we  have  that  a^j  is  independent  of  all  the  FKs  at  any  other 
time  instance,  i.e.  /(ccjj  A  ib,m)  =  ~  H (a.ij\Ritm)  =  0,  Vm  ^  j  —  1. 

Using  these  observations,  at  key  update  time  instance  j,  for  member  i,  the 
mutual  information  between  FK  and  HFK  can  be  computed  as: 


/ (H F Kitj  A  F Kij)  =  I(aitj  (B  FI<ij  A  FKij)  (3-12) 

=  H(atj  ©  FKt  j)  —  H(ai}j  ©  FI\ij\FKij) .  (3.13) 

=  H(ahJ  ©  FKhj)  —  H(altj).  (3-14) 

From  this  equation  we  note  that  if  the  FKs  are  uniform  as  well  as  iid,  then 
cqj  ©  FKtJ  is  also  uniform.  For  this  case  we  have  that 
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©  FKi,j  ^  FKi,j)  =  H(ai,j  ©  F K I, j)  —  H(ai,j) 


(3.15) 

(3.16) 


=  logL  —  logL  =  0. 

Hence,  if  the  random  variable  generator  gives  “uniformly”  distributed  iid 
quantities,  then  the  mutual  information  between  the  HFK  and  the  FK  is  zero;  i.e. 
given  the  HFK,  the  best  thing  the  attacker  can  do  is  to  guess  the  FK.  We  note 
that  this  statement  is  true  independent  of  whether  the  attacker  is  another  key 
generating  member  or  not.  Hence,  another  single  group  member  cannot  extract 
the  FK  of  a  member  i  by  obtaining  the  HFK  of  other  members;  i.e.  the  pad  o:?J 
does  provide  the  desired  randomization  for  the  FK  FKij  for  the  member  i  at  key 
update  time  j. 

We  also  note  that  in  generating  the  HFKs,  we  are  performing  modulo  addition 
of  two  uniformly  distributed  rvs.  None  of  them  have  any  language  structure. 
Hence,  the  attacker  cannot  use  word  frequency  analysis  or  any  other  language 
constructs  to  reduce  the  search  space. 

In  summary,  if  the  r.v’s  are  generated  as  uniform  and  iid,  then  there  is  perfect 
secrecy  between  the  HFKs  and  the  FKs.  We  also  need  mutual  independence  with 
respect  to  the  initial  parameters.  Under  these  conditions  of  distributions  no  one, 
including  the  other  key  generating  members,  can  make  use  of  HFKt  J  to  extract 
FKid. 


3.11  Proofs  Based  on  Conditional  Probabilities 

In  this  sections  we  show  how  to  use  probabilistic  arguments  to  derive  the  secrecy 
conditions  satisfied  by  the  model.  In  order  to  do  that  we  assumed  that  the  FK’s, 
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HFK’s  and  the  o:?J ,  all  have  the  space  of  same  size.  We  first  note  that  the 
proposed  scheme  is  analogous  to  a  two  step  procedure  as  shown  below 


FKi  j  © 

=  HFKij 

(3.17) 

f2(HFK1j : 

■  ■  ■  HKFnj;  9j) 

=  HFK^  ©  • 

=  SKs 

■  •  ©  HFKnj  ©  Oj 

(3.18) 

h{FKid-  SKj)  =  aiJ+1 
dJ+1  =  SK3 

Theorem  3.1:  The  fractional  key  based  shared  key  generation  scheme  pro¬ 
vides  perfect  secrecy  for  map  fi,l  =  1,2,3  iff  FK’s  are  chosen  uniform  and  the 
map  fi  is  injective. 

Proof:  We  will  give  the  proofs  for  maps  f\  and  /2.  Note  that  the  proof 
does  not  really  depend  on  the  type  of  operation  ©  is  except  for  the  fact  that  the 
operation  ©  needs  to  be  invertible. 

We  can  consider  the  function  fi(.)  as  the  encryption  of  “message”  aitJ  using 
the  key  FKtJ  to  get  the  cipher  text  H FK>  3.  Let’s  denote  F KU]  £  FK,.  II FK,  j  £ 
HFIC,  aitj  £  A.  Hence,  for  each  £  A  and  HFKij  £  HFIC  there  is  at  least 
one  FKij  £  FI C  such  that  fi(FKij,  aitj)  =  FKij  ©  ait3  =  HFKij  and 

\A\  =  \{fi(FKitj,  otij)  :  FKij  e  FK}\  <  \FI<\.  (3.19) 

However,  the  fractional  key  scheme  is  such  that  \FK\  =  \HFK\  =  a | .  Hence, 
|{ MFKiJiaij)  :  FKtJ  e  TIC} |  =  \FK\  (3.20) 

Therefore,  we  have  shown  that  if  FKij  7^  FI\ij  then  fi(FKij,aiij)  ^ 
fi(FKij,aij).  Hence,  for  a  given  ai3  £  A  and  HFKij  £  HFIC,  we  have  only 
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one  FI\ij  such  that  f\ (FKt^,  cxt,j)  =  HFKir  There  are  | FK\  possible  “keys”. 
Hence,  given  an  HFK,  there  are  \FK |  possible  unique  mapping  of  each  aU]  to 
HFK,  he,  fi(FKltiJ,altiij)  =  HFK id,  1  <l<  \FK\.  This  leads 


to 


PiawlHFKij)  = 


P(HFKi>j\ai>ij)P(ai>ij 

P(HFKij) 

P(FKljij)P(aljitj) 


(3.21) 


P(HFKid) 

Perfect  secrecy  condition  yields  P(aitij\HFKi}j)  =  P(ai^j).  Using  this  we 
have  P {FK i j.j)  =  P(HFKij),  1  <  l  <  \FK\.  This  means  that  the  “keys”  are 
drawn  with  equal  probability.  But  since  the  number  of  “keys”  is  \FK\,  we  must 
have  that  the  FKhJ  are  chosen  uniformly.  Hence,  if  we  have  perfect  secrecy  for 
/i(.)  then  we  must  choose  the  keys  FK’s  uniform. 

Proof  of  the  converse  part:  If  the  conditions  are  satisfied  -  namely  that 
the  FK’s  are  chosen  uniformly  and  only  one  set  of  HFK  and  Ojj  is  mapped  to 
a  unique  FKt  J  then  the  proof  of  perfect  secrecy  is  given  by 


P(HFK)  =  P{FKitj)P{f~\HFK)) 

(3.22) 

FKitjeFK 

=  \FK\- 1  £  P(f~\HFK )) 

(3.23) 

FKitjeFK 

=  \FK\- 1 

(3.24) 

(3.25) 

The  last  step  follows  from  the  fact  that  for  a  given  key,  only  one  message  is 
assumed  to  be  mapped  to  the  cipher.  Hence,  independent  of  the  distribution  of 
f~1(yHFK)  the  summation  should  be  equal  to  1.  Using  the  result  above  we  have 


P(aid\HFK) 


PiHFKMPjoij) 

P(HFK) 


(3.26) 
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Hence,  the  system  defined  by  function  /i  has  perfect  secrecy.  The  proofs  for  the 
function  fe  is  identical  to  that  of  f\.  To  prove  that  the  function  f2  also  implies 
perfect  secrecy,  we  note  that 


f2(HFK1}j]  ■  ■  ■  HKFnj]  Qj) 


(3.27) 


=  HFKLj  ©  HFK2J  •  •  •  ©  HFKnJ  ©  6j 


=  FKt  J  ©  oiij  ©  HFK2j  •  •  •  ©  HFKnJ  ©  Oj 
=  /i (F Kt  j]  OLt  j)  ©  Ft F K2j  •  •  •  ©  HFKnj  ©  6j 
=  FI<ij  ©  HFK2j  •  •  •  ©  HFKnJ  ®  Oj 


—  9j  ©  oiij 


This  can  be  written  as 


FK 


hi 


^ i,j  —  A ij )  —  7 i,j 


(3.28) 


Now,  for  f\  we  have  already  shown  that  perfect  secrecy  is  achieved  iff  FKt  ] 
is  uniformly  chosen  as  long  as  only  one  key  relates  the  “plain  text”  and  the 
“cipher”.  Hence  SKj  is  uniformly  distributed  if  FKhJ  is  uniformly  chosen  and 
every  member  makes  sure  that  no  fractional  key  is  repeatedly  used  by  them. 

In  summary,  if  the  fractional  keys  are  chosen  uniformly  and  the  function  ©  is 
such  that  only  one  fractional  key  relates  a  given  HFK  and  the  pad,  then  we  have 
perfect  secrecy  if  the  bit  length  of  these  quantities  are  same.  Clearly,  modulo 
addition  operation  satisfies  these  requirements. 
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Chapter  4 


Key  Revocation 


As  noted  in  chapter  two,  there  are  many  variations  of  the  rooted  tree  based 
key  distributions  proposed  to  minimize  the  storage  at  the  group  controller  and 
the  members  while  providing  a  reduction  in  the  amount  of  encryptions  required 
to  update  the  session  key  [36,  10,  11,  13,  15,  17,  14].  Many  of  these  tree  based 
schemes  seem  to  present  different  optimal  values  for  the  required  keys  to  be  stored 
at  the  GC  and  the  user  node. 

We  show  that  these  methods  can  be  analyzed  in  a  systematic  manner.  We 
also  show  that  the  design  of  an  optimal  tree  is  closely  related  to  Huffman  trees 
and  the  entropy  of  member  revocation  event.  We  then  show  that  this  entropy 
provides  a  bound  on  the  providable  key  length  if  all  the  keys  are  of  the  same 
length.  We  perform  weakness  analysis  of  some  of  the  recent  rooted  tree  based 
schemes  using  entropy  and  show  that  these  schemes  do  not  scale  well. 

We  then  show  how  to  generate  a  key  management  scheme  with  specific  amount 
of  user  collusion,  thus  generating  a  family  of  key  management  schemes. 
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4.1  Distribution  of  Keys  on  the  Tree 


We  reproduce  the  tree  structure  from  chapter  two  in  this  section.  The  figure  4.1 
presents  a  KEK  distribution  based  on  a  binary  rooted  tree  for  8  members.  As 
noted  earlier,  the  leafs  are  in  one-to-one  correspondence  with  members.  Each 
node  of  the  tree  represents  a  key.  The  set  of  keys  along  the  path  from  the  root  to 
a  particular  leaf  node  are  assigned  to  the  member  represented  by  that  leaf  node. 
For  example,  member  Mi  in  figure  4.1  is  assigned  KEKs  {Kq,  K2.1,  K1.1,  ATo.i}- 


Root  key 


Mi  M2  M3  M4  M5  M6  M7  M8  -*  Members 

Figure  4.1:  The  Logical  Key  Tree  of  [10,  11,  13,  15,  17] 

Member  revocation  details  were  presented  in  chapter  two  and  are  not  repro¬ 
duced  here. 

The  following  observations  can  be  made  towards  the  rooted  tree  based  key 
distributions: 

•  Since  each  member  is  assigned  log dNd2  keys,  deletion  of  a  single  member 
requires  logd  Nd?  keys  to  be  invalidated. 

•  Since  there  are  logd  Nd  nodes  between  the  root  and  a  leaf  and  logd  N  nodes 
are  shared  with  other  members,  and  for  each  common  node  one  encryption 
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is  required,  the  GC  needs  to  perform  a  total  of  logd  N  encryptions. 


•  For  a  d—ary  tree  with  depth  h  =  log dN,  the  GC  has  to  store  l  +  l  +  d+d2  + 
•  •  •  +  dh  =  number  of  keys.  Setting  d  —  2  leads  to  the  binary  tree 

for  which  the  required  amount  of  storage  works  out  to  be  2(N^~2  =  2N. 
This  result  can  be  independently  checked  by  noting  that  a  binary  tree  with 
N  leafs  has  2N  —  1  nodes.  Hence  the  GC  has  to  store  the  SK  and  (2 N  —  1) 
KEKs,  leading  to  2 N  keys  that  need  to  be  stored. 

In  [15,  17],  binary  rooted  tree  based  key  distributions  which  require  GC  to 
store  a  total  of  2  log2  N  keys  were  proposed.  The  generalized  version  of  this  result 
requires  d\ogdN  keys  to  be  stored  at  the  GC.  Each  member  needs  to  store  only 
logd  Nd2  keys  in  this  scheme.  However,  the  number  of  keys  to  be  updated  remain 
at  logdiV  as  in  [10,  11].  Hence,  at  first  glance,  the  results  in  [17]  seem  to  reduce 
the  storage  requirements  for  the  GC  by 

d(N+l)-2  Jt_  „  d(N  +  1  —  (d  —  1)  logd  N)  —2 
—  dlogd JV  -  (JVI) 

number  of  keys  without  increasing  the  key  storage  requirements  at  the  end  user 
node. 


4.2  Preliminary  Observations 

We  first  show  the  need  to  optimize  the  rooted-tree  using  a  worst  case  example. 
Let  us  consider  the  binary  rooted-tree  shown  in  figure  4.2. 

Since  the  SK  and  the  root  key  are  common  to  all  the  members,  they  will  be 
invalidated  each  time  a  member  is  revoked.  In  this  tree,  if  all  the  members  have 
equal  probability  of  being  revoked,  the  average  number  of  keys  to  be  invalidated 
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Figure  4.2:  An  Unbalanced  Key  Distribution 

when  a  member  is  revoked  is  given  by 

3  +  4  +  •  •  •  +  (iV  +  2)  +  (iV  +  2)  _  N  +1  +  N(N  +l)/2 

N  ~  N  ^  ’ 

(N  -j-  1)(N  +  2) 

2N 

Hence,  the  average  number  of  keys  to  be  invalidated  grows  as  0(N )  in  this  model. 
In  rooted  trees  from  [10,  11,  17]  the  number  of  keys  to  be  invalidated  is  of  order 
0(\ogdN). 

The  key  assignment  problem  in  [10,  11,  17,  15,  13,  14]  has  been  related  to  the 
number  of  members  alone.  The  number  of  keys  per  member  was  assigned  based 
on  the  observation  that  for  N  members  logd  N  keys  are  enough  for  a  rooted  tree. 

We  however  will  show  that  the  problem  of  key  assignment  can  be  related  to 
the  physical  process  of  member  revocation  and  that  it  can  be  intimately  related 
to  a  suitably  defined  “entropy”  of  member  revocation  event.  We  further  demon¬ 
strate  some  interesting  capabilities  of  this  approach,  including  security  weakness 
analysis.  In  order  to  do  develop  our  formulation,  we  first  define  the  terminology 
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and  show  that  the  well  known  Kraft  inequality  plays  a  critical  role  in  compromise 
recovery. 

4.2.1  Member  Indexing 

Let  Xn_iXn_2  •  •  •  X\X0  be  the  binary  index  sequence  representing  N  users.  Fol¬ 
lowing  the  conventional  network  terminology,  we  call  this  indexing  the  User  Index 
(UID).  In  order  for  the  GC  to  be  able  to  revoke  each  member  and  invalidate  the 
keys,  the  GC  has  to  store  a  member  index  and  the  corresponding  set  of  keys 
assigned  to  that  member.  Hence,  UID  for  a  member  has  to  be  in  one-to-one 
correspondence  with  the  set  of  keys  assigned  to  that  member.  This  requirement 
implies  that  each  member  should  be  indexed  using  the  set  of  keys  assigned  to 
that  member.  We  now  define  the  Key  Index  (KID)  in  the  following  manner. 

Definition:  Key  Index  (KID)  of  a  member  i  is  defined  as  the  string  generated 
by  concatenation  of  the  keys  assigned  to  the  member  i,  taken  in  any  order.  If 
the  number  of  keys  assigned  to  member  %  is  denoted  by  L, ,  then  there  are  Lt\ 
possible  different  sequences  that  can  be  generated  using  these  Lt  keys.  All  these 
KIDs  are  equivalent.  Hence,  the  KID  of  a  member  is  an  equivalence  class  with 
Lj!  elements  in  it,  where  L,  is  the  number  of  keys  assigned  to  member  i. 

Mi  in  figure  4.1  has  five  KEKs  and  is  represented  by  the  string  A^Abi  A'i.i  Ab.i . 
Since  there  are  120  different  ways  to  concatenate  these  keys,  there  are  119  addi¬ 
tional  strings  generated  by  rearranging  and  concatenating  the  keys  assigned  to 
Mi. 

Use  of  UID  alone  as  in  [10,  11,  15,  17]  doesn’t  provide  insights  into  the  prob¬ 
lems  due  to  user  collusion.  The  discussions  on  user  collusion  are  presented  in  a 
later  section  due  to  its  separate  significance. 
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4.2.2  Unique  Key  Set  Assignment  and  Kraft  Inequality 

At  the  time  of  member  revocation,  the  GC  has  to  be  able  to  uniquely  identify 
the  set  of  keys  assigned  to  the  revoked  member  and  invalidate  the  keys.  After 
revoking  a  member,  securely  reaching  the  rest  of  the  group  requires  that  the 
valid  member  has  one  or  more  keys  that  are  not  in  the  set  of  keys  assigned  to  the 
revoked  member.  We  will  call  the  ability  of  the  GC  to  reach  the  valid  members 
under  some  user(s)  revocation  as  the  reachability  condition.  Unlike  other  works 
that  emphasize  UID,  we  note  that  the  KID  plays  a  major  role  since  it  is  the  keys 
that  need  to  be  invalidated  and  (re)generated. 

One  important  necessary  condition  for  reachability  to  hold  in  the  rooted  tree 
based  key  assignment  is  that  the  KID  of  any  member  should  not  be  a  prefix  of  the 
KID  of  any  other  member.  On  the  rooted-tree,  this  leads  to  the  well  known  Kraft 
inequality  given  below. 

Theorem  4.1.  Kraft  Inequality  for  KID 
For  ad  —  ary  rooted  key  tree  with  N  members  and  KIDs  satisfying  the  prefix 
condition,  if  we  denote  the  number  of  keys  for  member  i  by  l,,  the  sequence 
Oi, hr"  In}  satisfies  the  Kraft  inequality  given  by 

i=N 

J2  d~li  <  !•  (4.3) 

i= 1 

Conversely,  given  a  set  of  numbers  {l\,hr  "  bv}  satisfying  this  inequality, 
there  is  a  rooted  tree  that  can  be  constructed  such  that  each  member  has  a 
unique  KID  with  no-prefixing. 

Proof:  Presented  in  [1],  and  is  not  included  here. 
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4.2.3  Limitations  of  Kraft  Inequality 

We  now  show  why  the  Kraft  inequality  is  only  a  necessary  condition  for  reachabil¬ 
ity.  Let  A,  B,  and  C  be  three  members  who  have  been  assigned  keys  {Ki,  J\2,  K3 } , 
{Ki,  AT2,  K3,  K5,  Kq},  and  {K4,  K5,  K6}  respectively.  For  a  binary  tree  these 
lengths  satisfy  the  Kraft  inequality  since  (2~3  +  2-5  +  2~3)  =  ^  <  1.  We  note 
that  if  the  member  B  is  revoked,  all  the  keys  of  member  A  are  completely  inval¬ 
idated  whereas  the  keys  of  member  B  will  be  only  partially  invalidated.  If,  on 
the  other  hand,  member  A  is  revoked,  the  GC  can  securely  reach  members  B  and 
C  using  any  one  of  the  keys  from  the  set  { K5 .  K(: } .  However,  if  the  GC  has  to 
revoke  members  A  and  C  simultaneously,  all  the  keys  of  member  B  will  be  com¬ 
promised.  Although  the  set  of  keys  assigned  to  member  B  is  not  a  concatenation 
of  keys  of  members  A  and  C,  all  the  keys  assigned  to  B  are  contained  in  the  set 
of  keys  assigned  to  members  A  and  C.  Hence,  the  condition  that  the  KID  of  a 
member  should  not  be  a  prefix  for  the  KID  of  another  member  is  not  a  sufficient 
condition  for  reachability.  Moreover,  this  example  shows  that  the  choice  of  KIDs 
satisfying  the  Kraft  inequality  does  not  imply  that  the  KID  system  is  collusion 
resistant. 

On  the  other  hand,  the  KIDs  satisfying  the  Kraft  inequality  do  help  to  solve 
another  important  problem,  namely  the  optimal  key  allocation  per  member.  We 
present  the  needed  formulation  in  the  next  section.  This  optimal  assignment 
is  very  closely  tied  to  the  underlying  physical  process  of  member  revocation  as 
shown  in  the  next  section. 
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4.3  Probabilistic  Modeling  of  Member  Revoca¬ 
tion 

Since  the  key  updates  are  performed  in  response  to  member  revocation,  statistics 
of  member  revocation  event,  are  useful  data  for  system  design  and  performance 
characterization.  Hence,  the  statistics  of  member  revocation  should  be  linked  to 
the  assignment  of  KID  to  a  member.  It  may  be  noted  that  we  are  not  making 
any  claim  about  the  specific  selection  of  any  key  at  this  stage.  We  denote  by  p, 
the  probability  of  revocation  of  member  i. 

4.3.1  Relating  the  Probability  of  Member  Revocation  to 

the  Keys  on  the  Rooted  Tree 

The  physical  process  of  member  revocation  is  related  to  the  rooted  trees  via  the 
leaf  nodes  using  the  following  observations. 

•  Since  each  member  in  the  rooted  tree  is  assigned  to  a  unique  leaf,  the  prob¬ 
ability  of  revocation  of  a  member  is  equal  to  the  probability  of  revocation 
of  the  corresponding  leaf  node. 

•  Since  all  the  nodes  of  the  rooted  tree  are  assigned  a  unique  key, the  proba¬ 
bility  of  revocation  of  leaf  node  is  also  the  probability  of  revocation  of  the 
key  represented  by  the  leaf  node. 

•  Hence,  we  note  that  the  probability  pi  of  revoking  member  i  is  equivalent 
to  having  the  probability  pt  of  revoking  the  key  at  the  leaf  i. 

We  can  also  derive  additional  properties  that  are  more  useful  on  the  trees. 
For  example,  although  the  probability  of  revocation  of  any  intermediate  node  key 


51 


is  a  composition  of  the  probabilities  of  all  the  children  nodes,  the  KIDs  are  sets 
uniquely  associated  with  each  member.  Hence,  the  probability  of  revocation  of  a 
member  is  identical  to  not  only  the  revocation  of  the  leaf  node  key,  but  also  the 
revocation  of  the  set  of  keys  assigned  to  that  member,  taken  together  as  a  set. 
The  individual  revocation  probabilities  of  the  keys  may  be  different,  and  can  be 
computed  using  basic  formulae  with  some  realistic  assumptions. 

The  following  assumptions  are  implicit  in  the  models  presented  in  [10,  17,  15] 
and  are  useful  in  the  derivation  of  the  optimal  number  of  keys  to  be  assigned  to 
each  member. 

•  Assumption  1:  Revocation  of  members  are  mutually  independent  events. 

•  Assumption  2:  The  number  of  members  TV  is  a  fixed  quantity. 

This  assumption  is  restrictive  and  can  at  best  satisfy  only  one  temporal  “snap 
shot”  of  the  real  world  requirement.  Implicit  in  this  assumption  is  the  property 
that  the  tree  structure  is  fixed  over  the  entire  session.  One  way  to  remove  this 
constraint  is  to  set  TV  as  the  maximal  allowed  number  of  members.  In  deriving 
the  optimal  number  of  keys  to  be  assigned  per  member,  we  will  assume  that  TV 
represents  the  number  of  members  in  the  group. 

The  assumption  that  the  member  revocation  events  are  independent  allows 
a  simple  computation  of  the  probabilities  of  revocation  of  all  the  intermediate 
node  keys  on  the  tree.  Let  the  branch  k  of  an  intermediate  node  i  have  the  prob¬ 
ability  of  revocation  p^.  If  the  individual  member  revocations  are  statistically 
independent,  the  following  equation  presents  the  probability  of  revocation  pi  of 
the  intermediate  node  i  of  a  d  —  ary  rooted  tree. 

k=d 

Pi  =  J2  Pik  (4-4) 

k= 1 
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Hence,  starting  from  the  revocation  probabilities  of  the  leaf  nodes,  one  can 
compute  the  probabilities  of  revocation  of  all  the  intermediate  nodes.  Using 
the  recursive  nature  of  the  rooted  tree  structure,  every  probability  of  revocation 
of  any  key  corresponding  to  an  internal  node  can  be  expressed  in  terms  of  the 
probabilities  of  the  member  revocation.  In  particular,  the  the  root  key  and  the 
session  key  are  revoked  every  time  a  member  is  revoked. 

4.3.2  Defining  the  Entropy  of  Member  Revocation  Event 

In  physical  processes  that  involve  probabilistic  modeling,  one  can  often  define  the 
uncertainty  of  the  occurrence  of  an  event  using  a  suitably  defined  entropy  of  the 
process.  We  will  use  Shannon  entropy  [1]  to  express  the  amount  of  uncertainty 
as  to  which  member  will  be  revoked.  We  first  define  the  entropy  of  member 
revocation  event. 

Definition:  We  define  the  d  —  ary  entropy  Hd  of  the  member  revocation 
event  by 

i=N 

Hd  =  ~  ^Pi^ogdPi  (4.5) 

i= 1 

where  pt  is  the  probability  of  revocation  of  member  i.  As  mentioned  earlier,  the 
entropy  expresses  the  uncertainty  as  to  which  member  will  be  revoked  in  d  —  ary 
digits. 

Since  the  member  revocation  event  and  the  leaf  node  key  revocation  event 
are  probabilistically  identical,  the  entropy  of  the  member  revocation  event  is  the 
same  as  the  entropy  of  the  leaf  key  revocation  event. 

Leaf  Key  Revocation  Entropy:  is  the  entropy  or  uncertainty  as  to  which  of  the 
leaf  keys  will  be  revoked.  Since  the  leaf  key  revocation  probability  is  in  one-to-one 
correspondence  with  the  member  revocation  probabilities,  the  leaf  key  revocation 
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entropy  is  identical  to  the  entropy  of  the  member  revocation  event. 

Hereafter  we  will  use  the  term  entropy  of  member  revocation  event  instead 
of  leaf  key  revocation  entropy  since  they  are  equivalent.  Another  very  useful 
observation  is  that  since  the  member  revocation  event  is  also  probabilistically 
equivalent  to  the  KID  revocation  event,  the  entropy  of  member  revocation  event 
is  identical  to  the  entropy  of  the  KID  revocation  event. 

A  main  outcome  of  these  observations  is  that  the  entropy  of  the  KID  revocation 
event  is  identical  to,  and  can  be  completely  characterized  by  the  entropy  of  the 
leaf  key  revocation  event  (which  is  equivalent  to  the  member  revocation  event). 

With  this  probabilistic  model,  we  show  below  that  we  can: 

•  Derive  optimal  number  of  keys  per  member. 

•  Analyze  the  collusion  properties  of  some  schemes. 

•  Derive  a  bound  on  the  length  of  the  keys. 

•  Determine  if  a  given  rooted  key  scheme  can  sustain  its  key  generation  rates 

4.3.3  Assigning  Optimal  Number  of  Keys  per  Member 

Since  the  SK  and  the  root  key  are  common  to  all  the  members,  these  two  keys  do 
not  contribute  to  the  optimization.  We  now  show  that  the  optimal  key  assignment 
on  the  rooted  tree  can  be  posed  as  an  optimization  problem. 

Theorem  4.2.  For  a  key  assignment  satisfying  the  Kraft  inequality,  the 
optimal  average  number  of  keys,  excluding  the  root  key  and  the  SK,  held  by  a 
member  is  given  by  the  d  —  ary  entropy  Hd  =  —  Pi  logd  Pi  °f  the  member 
revocation  event.  For  a  member  i  with  probability  of  revocation  p,;,  satisfying  this 
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optimality,  the  optimal  number  of  keys  k,  excluding  the  root  key  and  the  TEK, 
is  given  by 

l*  =  logfi  Pi  ■  (4.6) 

Proof: 

The  average  number  of  keys  held  by  the  members,  denoted  by  l.  given  by: 

i=N 

i  =  Vik ■  (4.7) 

i= 1 

Then  the  constrained  problem  is  to  minimize  /,  subject  to  the  constraint  of  the 
Kraft  inequality  given  by 

N 

J2d~li  <  1.  (4.8) 

i= 1 

Using  Lagrangian  multipliers  leads  to  the  following  convex  cost  function 

N  N 

C  =  Y.Pik  +  KY,d~h)  (4.9) 

i= 1  i= 1 

where  A  is  Lagrange  multiplier,  and  J2iLi  d  li  <  1.  Differentiating  C  by  lt 
leads  to 

dC 

—  =  Pi-  X d~li  log  d  (4.10) 

where  “log”  with  no  base  denotes  the  natural  logarithm.  Setting  the  derivative 
to  zero,  yields  the  optimal  value  of  li  as 

Pi  =  d~li  A  log  d  (4-11) 

Using  the  constraints  on  the  probability  and  the  Kraft  inequality  leads  to 


Pi  =  d  7 


(4.12) 
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(4.13) 

(4.14) 


r  =  -logjPi 

=  logd(l/Pi) 


We  note 


d2C 

dkdlj 


X d  ^(logd)2  =  8l,Jpt  log  d  >  0; 


(4.15) 


where, 


if  i  =  j 


[0  if  i  j-  j 

Since  the  second  partials  are  positive,  the  optimal  values  of  h’ s  correspond 
to  a  global  minimum  value  of  the  cost  function  C.  Using  the  convexity  of  the 
cost  function,  this  minima  is  indeed  the  global  minimum  of  the  cost  function  C. 
Hence,  optimization  of  LKT  provides  the  minimal  number  of  average  keys  per 
member  (excluding  the  SK  and  the  root  key  ),  and  this  optimum  value  is  given 
by 


i=N 

r  =  EM' 

1=1 

i=N 

=  ~Y.Pil°SdPi 

i= 1 

=  Hd 


(4.16) 


where  II, i  =  —  J2l=i  Pi  log dPi  is  the  entropy  of  the  member  revocation  event. 
Since  the  SK  and  the  root  key  are  common  to  all  the  members,  optimal  average 
number  of  keys  per  member  is  given  by  Hd  +  2,  and  the  number  of  keys  assigned 
to  member  i  with  revocation  probability  jy,  including  the  SK  and  the  root  key  is 
given  by 

l*i  +2  =  —  logdPi  +  2  =  logd— .  (4.17) 

Pi 
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The  following  properties  that  are  very  useful  in  identification  of  the  minimal 
number  of  keys  that  can  be  used  after  member  revocation  are  summarized  in  the 
form  of  the  lemma  below;  the  are  also  satisfied  by  the  optimal  number  of  keys 
held  by  a  member. 

Lemma  4.1. 

1.  If  pi  >  pj ,  then  k(=  -  log dpi)  >  lj(=  -  log dpj). 

2.  There  must  be  at  least  two  members  with  the  largest  number  of  keys. 

3.  Since  the  number  of  keys  assigned  per  member  needs  to  be  integer,  true 
average  number  of  keys  per  member  is  more  than  the  optimal  value,  and  is 
not  more  than  d  additional  keys. 

In  order  to  derive  the  last  part  of  the  lemma,  we  need  the  following  definition 
from  information  theory  [1], 

Definition:  The  relative  entropy  or  the  Kullback  Leibler  distance  between 
two  probability  mass  functions  p{x)  and  q(x)  is  defined  as 

D(p\\q)  =  ^2p(x)\og^}-.  (4.18) 

x  Q\x) 

Sketch  of  the  Proofs: 

1.  The  logarithm  being  a  monotone  function,  if  pi  >  pj,  then  log dpi  >  log dpj. 
Hence  -logdPi  <  -log^-,  leading  to  lt(=  -  log dpi)  <  l3{=  -  log dp3). 

2.  If  there  are  no  two  members  with  the  largest  number  of  keys,  then  we  can 
reduce  the  largest  number  of  keys  held  by  at  least  one  and  still  ensure  that 
all  members  have  unique  sets  of  keys  assigned.  However  this  reduction  will 
violate  the  proof  of  optimality  of  the  individual  codeword  lengths.  Hence, 
at  least  two  members  should  be  assigned  largest  number  of  keys. 
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3.  In  the  earlier  derivation  we  showed  that  the  entropy  is  the  point  of  opti¬ 
mality,  and  is  indeed  a  global  minimum  of  the  average  number  of  keys  held 
by  a  member.  Since  the  number  of  keys  need  to  be  integer,  the  average 
number  of  extra  keys  is  given  by 

i=N  i=N 

=  Y  Vih  +  5Z  Pil°SdPi  (4.19) 

i= 1  i=l 

i—N 

=  Y  p>  loSd  ir  (4-20) 

i= i  a  1 

=  +  logd(^)  (4-21) 

i= i  y*  y* 

=  D(p\\q)  +  logd(-)  (4.22) 

Qi 

To  show  that  difference  is  non-negative,  we  need  to  show  that 

D(jp\\q)  =  Pi  logd(^i)  and  logd(4-)  are  non-negative.  From  the  Kraft 
inequality,  E)=f  <  1,  we  have  >  1.  Hence,  logd  >  0. 

To  show  that  the  term  D(j>\\q)  >  0,  we  need  the  following  known  lemma. 


i=N 


y  ~  piii  Hd 


i=  1 


where  r/,:  =  jg/ 

Z^j=i 


Lemma  4.2.  Let  and  t>e  two  sets  of  non-negative  quan¬ 


tities.  Then 


i=N 


Y  ai  l°Sd  -r  > 

i=  1 


i=N 

(£< 

2=1 


^i=N  1 
2^i= 1  ui 


with  equality  being  achieved  i ff  =  constant. 

Oi 


(4.23) 


Proof:  Let  y  =  log  t.  Then  the  tangent  to  the  curve  y  at  point  (t/ .  log  t')  is 
given  by  the  equation  y  —  logd  t'  =  t-^~.  Except  at  the  point  of  tangent,  the 
curve  y  =  logt  is  below  the  line  y  =  '-ff-  +  logf'.  At  the  point  of  tangent, 
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In  summary,  the  optimal  key  allocation  strategy  requires  that  the  member 
with  revocation  probability  pt  be  assigned  logd  number  of  keys.  In  the  case  of 
binary  rooted  trees,  the  optimal  number  of  keys  for  a  member  with  probability 
of  revocation  pt  needs  to  be  assigned  log  d-  keys. 

The  results  indicating  that  there  are  at  least  two  members  with  the  largest 
KID  also  indicate  that  the  tree  is  packed,  i.e.,  if  a  member  is  revoked,  all  the 
complementary  keys  of  that  member  are  needed  to  securely  reach  the  rest  of  the 
members.  If  there  are  bulk  member  removals,  the  set  of  keys  that  are  in  the 
complementary  set  of  the  revoked  members  can  be  used  to  securely  update  the 
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valid  members.  Depending  on  the  nature  of  the  specific  key  choices  it  is  possible 
to  develop  a  fast  algorithm  for  key  updates. 

4.3.4  Maximum  Entropy  and  the  Key  Assignment 

The  results  reported  in  [10,  11,  13,  17,  15]  present  rooted  trees  with  all  member 
having  the  same  number  of  keys.  Since  the  optimal  number  of  keys  for  a  member  i 
with  probability  of  revocation  is  logf/  ^,this  assignment  is  equivalent  to  treating 
logd  ~  =  constant  for  all  values  of  i.  Hence,  the  results  in  [10,  11,  17,  15, 
13]  assume  that  the  probability  of  revocation  is  uniform  for  the  entire  group. 
Since  the  uniform  distribution  maximizes  the  entropy  and  entropy  is  the  average 
number  of  keys  per  member  under  the  optimal  strategy,  the  schemes  in  [10,  11,  13] 
assign  maximal  set  of  keys  per  member.  We  summarize  these  results  by  the 
following  theorem. 

Theorem  4.3.  Since  the  entropy  of  member  revocation  Hc[  =  —  p,  log dpi 

is  maximized  when  the  revocation  probabilities  are  uniform  and  the  schemes 
in  [10,  11,  17,  15,  13]  implicitly  assume  uniform  member  revocation  probabilities, 
these  schemes  correspond  to  the  worst  case  key  assignments  for  individual  mem¬ 
bers.  These  schemes  assign  logd  Nd2  keys  per  member,  where  N  is  the  group 
size. 

We  note  here  that  the  use  of  maximal  number  of  keys  per  member  does  not 
imply  that  the  key  distribution  scheme  is  free  of  any  possible  member  collusion  or 
even  secure.  We  elaborate  on  this  point  later.  Next  we  derive  the  explicit  bounds 
on  the  optimal  number  of  keys  per  member. 
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4.3.5  Upper  Bounds  on  the  Integer  Values  of  keys 

The  optimal  number  of  keys  for  a  member  with  probability  of  revocation  p,:  in  a 
d  —  ary  rooted  tree  key  management  scheme  was  shown  to  be 

\ogd—.  (4.29) 

Vi 

Since  this  quantity  corresponds  to  the  number  of  physical  keys,  it  has  to  be 
an  integer  value.  The  following  theorem  summarizes  the  bound  on  the  optimal 
number  of  keys  to  be  held  by  a  member.  If  we  denote  the  integer  value  of  the 
average  number  of  keys,  excluding  the  SK  and  the  root  key,  held  by  members 
by  /*,  the  bounds  on  the  optimal  number  of  keys  per  member  are  given  by  the 
following  inequalities 

Theorem  4.4.  The  optimal  average  number  of  keys  held  by  a  member  sat¬ 
isfies 

Hd  +  2  <  t  +  2  <  Hd  +  3.  (4.30) 

Proof:  Using  the  notation  ("—log dp{\  to  represent  the  smallest  integer 

greater  than  or  equal  to  —  log dpi,  we  have  the  integer  value  of  l*  as 

l*i  =  \~l°gdPi}-  (4-31) 

For  this  choice  of  Zj,  we  have 

-  log dPi  <k<  ~  log dPi  +  1  =  logd  —  (4.32) 

Pi 

For  this  value  of  /*,  the  Kraft  inequality  is  still  satisfied  since 

i=N  i=N  i=N 

d{-l*=- f-1™!)  <  =  YJPl  =  1-  (4.33) 

i= 1  i= 1  i=  1 
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Multiplying  equation  (4.33)  by  pi  and  summing  over  i  leads  to 


i=N 

T,Pil°SdPi  < 

i= 1 

i=N  i=N  i=N 

Pi  l°SdPi  +J2  Pi 

i= 1  i= 1  i= 1 

(4.34) 

=>Hd  < 

i*  <Hd  +  i 

(4.35) 

=>•  Hd  +  2  < 

l  *  +  2  <  Hd  +  3 

(4.36) 

Since  the  average  number  of  keys  per  member  is  (l*  +  2),  we  note  that  the 
optimal  number  of  average  keys  per  member  is  at  most  3d  —  ary  digits  more, 
and  is  at  least  2d  —  ary  digits  more  than  the  entropy  of  the  member  revocation 
event. 

4.3.6  Effect  of  Using  Incorrect  Entropy  on  Key  Length 

In  figure  4.2  we  presented  the  effect  of  an  unbalanced  rooted  tree  on  the  number 
of  keys  to  be  assigned  and  to  be  invalidated.  We  note  that  this  quantity  can  be 
completely  characterized  using  basic  results  from  information  theory  as  well. 

Lets  us  assume  that  the  true  revocation  probability  of  member  i  is  pt  and  the 
used  probability  of  revocation  for  member  i  is  q,.  Hence,  the  optimal  number  of 
keys  to  be  assigned  to  that  member  is  given  by 

l*i  =  \~  logd  qf\  (4.37) 

Using  an  incorrect  distribution  introduces  redundancy  in  the  number  of  keys 
that  are  assigned  to  the  members.  This  redundancy  is  given  by  the  following 
theorem. 

Theorem  5.  The  average  number  of  keys  per  member  under  the  true  dis¬ 
tribution  p  with  the  number  of  key  selection  based  on  l  —  —  logd  qt  satisfies  the 
following  bounds 

Hd(p)  +  D(p\\q)  <L<  Hd(q )  +  D(p\\q)  +  1.  (4.38) 
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Proof:  Upper  bound  is  derived  as: 


i=N 

L  -  Hd(p )  =  53  Pi(\~  loS d  ftl  +  lo§ dPi)  (4-39) 

i= 1 
i=N 

<  53  Pi(- l°Sd  ft  +  log, dPi  +  1) 

i= 1 

i=N  V 

=  53  Pi(l°Sd-  +  1) 

i= i  ft 

=  D(p\\q)  +  1 
=  L  <  Hd(p)  +  D(p\\q)  +  1. 

The  lower  bound  is  derived  as: 

i=N 

L  -  Hd(p)  =  Pi(\~  lo§rf ftl  +  log, dPi)  (4-40) 

1=1 
i=N 

>  53  Pi(-  los<i *  +  logdP*+) 

2=1 

t=Ar  TJ- 

=  53^(log<i-) 

i=i  ft 

=  L  <  Hd(jp)  -f  D(jp\\q). 

Hence,  on  average  the  number  of  redundant  keys  assigned  to  a  member  due 
to  the  use  of  an  incorrect  distribution  is  given  by  the  inequalities  (4.38). 

Apart  from  being  closely  related  to  the  optimal  key  assignments,  the  entropy 
of  member  revocation  event  is  also  related  to  the  sustainable  key  length  of  the 
secure  multicast  group,  as  shown  next.  To  our  knowledge,  result  of  this  kind  is 
not  available  in  the  literature  of  key  length  selection. 
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4.3.7  Bounds  on  Average  Key  Length 

When  there  is  a  member  revocation,  the  average  number  of  keys  to  be  invalidated 
is  given  by  (2  +  Hd).  If  each  key  is  L  digits  long,  then  in  order  to  update  these 
keys,  the  total  number  of  digits  that  need  to  be  generated  by  the  GC  after  member 
revocation  is  L{ 2  +  Hd)  digits.  Since  Hd  <  logd  N  with  equality  attained  iff  all 
the  members  have  equal  revocation  probabilities,  the  hardware  need  to  be  able  to 
generate  an  average  of  L  \ogd(Nd2)  digits  within  the  next  unit  of  time  of  update 
to  let  the  session  continue.  The  following  theorem  summarizes  this  result. 

Theorem  4.6.  For  a  d—ary  rooted  tree  key  distribution  scheme  in  which  each 
key  is  of  length  L  digits,  if  the  hardware  digit  generation  rate  is  given  by  B,  then 
the  key  length  is  bounded  above  by  L  <  on  average  and  the  maximally 

allowable  key  length  is  bounded  by  L  <  logd^Nd2j  ■  Considering  individual  mem¬ 
bers,  the  key  length  is  bounded  below  and  above  by 

Proof:  As  shown  earlier,  the  average  number  of  keys  to  be  generated  in  the 
event  of  member  revocation  is  given  by  (2  +  Hd)  =  2  +  J2]=i  Pih  ■  Hence,  the 
hardware  should  be  able  to  generate  a  total  of  L(Hd  +  2)  digits  of  suitable  quality 1 
in  unit  of  time  to  let  the  session  continue  without  delays  in  the  average  sense. 
Hence  the  hardware  digit  generation  rate  B  must  satisfy  B  >  L(Hd  +  2).  Observ¬ 
ing  that  the  entropy  is  maximal  under  uniform  distribution  and  the  maximal  value 
is  given  by  Hd  <  Hd{U )  =  logdIV  leads  to  the  bound  L  <  log^Nd2}  with  equality 
iff  all  the  members  have  the  same  revocation  probabilities.  The  minimal  and 
maximal  allowed  key  lengths  are  decided  by  the  maximal  and  the  minimal  mem¬ 
ber  revocation  probabilities  pmax  and  pmin  and  satisfy 

Since  it  is  of  interest  to  make  sure  that  the  system  sustains  the  secure  com- 
1  Based  on  the  application  specific  use  of  the  key. 
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munication  mode,  one  strategy  is  to  design  the  system  so  that  it  satishes  the 
worst  case  scenario.  Hence  the  hardware  digit  generation  rate  B  needs  to  satisfy 


B  >  L  logd  . 

In  summary,  it  was  shown  that  the  entropy  of  member  revocation  event  plays 
an  important  role  in  deciding  the  key  length  if  the  system  were  to  update  the 
keys  each  time  a  member  is  revoked. 

4.4  Security  Analysis  of  Recent  Results  Using 
Member  Revocation  Entropy 

The  authors  in  [15]  noted  that  given  the  binary  index  of  a  member,  each  bit  in 
the  index  takes  two  values,  namely  0  or  1.  To  follow  the  example  given  in  [15], 
when  N  =  16,  log2  16  =  4  bits  are  needed  to  uniquely  index  all  16  members. 
The  authors  then  proceeded  to  claim  that  since  each  bit  takes  two  values,  it  can 
be  symbolically  mapped  to  a  distinct  pairs  of  keys.  The  table  below  reproduces 
the  mapping  between  the  ID  bit  #  and  the  key  mapping  for  the  case  in  [15]  for 
N  =  8: 


ID  Bit  #0 

Ao.o 

I<o.i 

ID  Bit  #1 

Ki.o 

Ki.i 

ID  Bit  #2 

K2.  o 

A  2.1 

where,  the  key  pair  (Ki>0,  Kt  l)  symbolically  represents  the  two  possible  values  of 
the  ith  bit  of  the  member  index.  Although  this  table  does  provides  a  one-to-one 
mapping  between  the  set  of  keys  and  the  member  index  using  only  eight  keys, 
the  problem  with  this  approach  becomes  clear  if  we  map  the  table  to  the  rooted 
tree  structure.  Figure  2  shows  the  mapping  of  the  keys  on  the  tree.  (For  the 
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sake  of  clarity,  not  all  the  keys  corresponding  to  the  leafs  are  shown  in  figure  2). 
Adjacent  leafs  have  K2o,  K-i\  as  the  keys  and  this  pair  is  repeated  across  the  level. 
In  fact,  at  any  depth  only  two  specific  keys  have  been  used  and  duplicated  across 
the  depth. 

In  approaches  such  as  [17,  15]  that  use  UID  to  optimal  Huffman  coding,  a 
special  case  of  member  revocation  brings  these  key  management  schemes  to  halt, 
by  collusion.  This  happens  if  the  members  Mq  and  My  need  to  be  revoked.  The 
corresponding  keys  to  be  revoked  are  shown  in  figure  4.3.  These  two  members 
have  only  the  session  key  in  common.  However,  if  these  two  members  need  to 
be  simultaneously  revoked,  the  group  controller  is  left  with  no  key  to  securely 
communicate  with  the  rest  of  the  valid  members.  This  reduces  the  rooted  tree 
to  the  GKMP  [7].  The  compromise  recovery  for  this  case  requires  that  the  entire 
group  re-key  itself  by  contacting  one  member  at  a  time. 

The  key  assignments  in  [17,  15]  and  their  variations  also  allow  the  members 
to  collaborate  or  collude  and  break  the  system.  We  now  discuss  user  collusion  on 
the  rooted  tree  in  [17,  15]. 

4.4.1  Impact  of  Member  Collusion  on  Rooted  Trees 

We  showed  that  if  more  than  one  member  were  to  be  revoked,  the  whole  key 
scheme  may  be  compromised.  There  are  three  different  ways  to  interpret  the 
collusion  problems  with  approaches  in  [15,  17]  based  on  rooted  trees.  We  present 
them  in  the  order  of  generality: 
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SK 


Represents  the  valid  keys 

Figure  4.3:  The  Key  Distribution  in  [17,  15] 

Interpretation  based  on  Minimal  number  of  Key  Requirements 

A  simple  way  to  interpret  the  shortcomings  of  the  results  in  [15,  17]  is  to  note  that 
2  log2  N  <  N,  if  N  >  4.  In  order  to  prevent  member  collusion  from  being  able  to 
break  the  rest  of  the  system,  there  must  be  at  least  N  keys  so  that  each  member 
has  a  unique  key  and  can  be  contacted  at  the  time  of  member  revocation.  Since 
2  log2  N  <  N  (for  N  >  4)  is  the  number  of  distinct  keys  used  by  the  variation 
of  rooted  tree  presented  in  [15,  17],  such  a  scheme  can  be  completely  or  partially 
compromised  depending  on  the  colluding  members.  However,  when  N  =  4, 
2  log2  N  =  4.  Hence,  in  order  to  be  able  to  reach  any  valid  members  securely,  the 
key  distribution  has  to  be  a  degenerate  multicast  as  shown  in  figure  4.4. 
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Represents  the  revoked  keys 


Figure  4.4:  Revocation  of  Members  M0,  M7  in  [15,  17]. 

Interpretation  Based  on  Complementary  variables 

The  third  interpretation  is  based  on  the  notion  of  sets  and  includes  a  larger 
definition  of  collusion  discussed  under  the  category  of  complementary  variables 
in  [10].  The  approach  in  [15,  17]  is  a  special  case  of  the  complementary  variable 
approach.  If  the  secure  group  membership  is  a  set  such  that  every  member  is 
denoted  by  a  unique  key  and  that  key  is  given  to  all  other  members  but  the 
member  itself,  at  the  time  the  member  is  to  be  revoked,  all  other  members  can 
use  the  key  denoting  the  revoked  member  as  the  new  key.  For  a  set  of  N  members, 
all  the  members  will  have  (N  —  1)  keys  that  correspond  to  other  members  and 
no  member  will  have  the  key  denoting  itself.  Clearly,  if  two  members  collude, 
between  them  they  will  have  all  the  future  keys  of  the  group.  Hence,  this  kind  of 
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key  assignment  does  not  scale  beyond  2  members. 


Interpretation  based  on  Huffman  Coding 

We  showed  that  the  average  number  of  keys  per  member  is  given  by  entropy.  We 
also  showed  that  if  the  distribution  is  uniform,  the  average  number  of  keys  per 
member  attains  its  maximum  value.  When  the  member  revocation  probabilities 
are  equal,  the  number  of  keys  assigned  to  a  member  is  same  as  the  average  number 
of  keys  per  member.  We  also  showed  that  this  strategy  is  used  in  [10,  11,  17,  15]. 

The  schemes  in  [15,  17]  mapped  the  UIDs  to  KIDs  directly.  Since  the  number 
of  bits  needed  for  N  members  is  log2  N,  the  schemes  in  [15,  17]  used  a  unique 
pair  of  keys  to  symbolically  map  each  bit  position  of  the  the  member  index. 
Hence,  a  total  of  2  log2  N  keys  are  used  to  uniquely  represent  each  member  index. 
This  selection  of  keys  can  create  a  set  of  N  unique  indices  and  the  codewords 
generated  by  concatenating  log2  N  keys  satisfy  the  Kraft  inequality.  Hence,  this 
mapping  of  a  unique  pair  of  keys  to  each  bit  location  corresponds  to  performing 
a  Huffman  coding  with  2H2(U)  distinct  keys,  where  H2(U)  =  log 2N.  However, 
the  problem  with  Huffman  coding  is  that  it  is  uniquely  decodable!.  Hence,  a  key 
assignment  based  on  direct  mapping  of  bit  location  to  keys  will  lead  to  serious 
security  exposure.  In  fact,  an  attacker  can  break  the  whole  system  by  breaking  the 
members  whose  indices  are  all  ones  and  all  zeros.  These  two  members  represent 
all  possible  bit  patterns  and  hence  have  all  the  2  log2  N  keys  among  themselves. 

If  we  use  the  notation  (kj,  kj )  to  denote  the  unique  key  pair  representing  the 
two  possible  binary  values  taken  by  the  jth  bit,  we  note  that  the  collusion  or 
compromise  of  two  members  holding  keys  kj  and  kj  respectively  will  compro¬ 
mise  the  integrity  of  the  key  pair  (kj,  kj).  The  following  lemmas  summarize  our 
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observations: 


Lemma  4.3.  If  the  binary  rooted  key  tree  uses  Optimal  Huffman  Coding 
for  assigning  members  a  set  of  keys  based  on  2  log2  N  (TV  >  4)  (  here  N  is 
dyadic)  distinct  keys  as  in  [15,  17],  the  whole  system  can  be  broken  if  any  two 
members  whose  “codewords”  (and  hence  indices)  are  one’s  complement  of  each 
other  collude  or  are  compromised.  Hence,  the  integrity  systems  in  [15,  17]  do  not 
scale  beyond  4  members  in  the  presence  of  colluding  members. 

In  a  D  —  ary  tree,  each  digit  takes  D  values  and  the  sum  of  these  values  is 
given  by  D^D~^> .  Hence,  if  a  set  of  k  (k  >  D )  members  whose  ith  bit  values  when 
summed  lead  to  D(yD~1^  collude,  they  will  be  able  to  fully  compromise  the  ith  bit 
location.  This  result  is  summarized  by: 

Lemma  4.4.  For  a  D  —  ary  tree  with  N  members,  the  key  corresponding 
to  bit  location  b  will  be  compromised  by  a  subset  of  k  (k  >  D )  members  whose 
symbolic  value  of  the  bit  location  b  denoted  by  the  set  {bi,  62,  •  •  • ,  bk}  satisfy 
b\  +  b2  ■  ■  ■  bk  =  0  mod  D('D)^  . 


4.4.2  On  Generating  a  Large  Class  of  Key  Management 

Schemes  with  Varying  Degree  of  Collusion 

From  our  analysis  of  the  tree  based  schemes,  we  note  that  many  different  key 
management  schemes  with  different  levels  of  protection  against  the  user  collusion 
can  be  made.  On  one  extreme,  the  keys  representing  the  rooted  tree  have  no 
relationship,  leading  to  a  very  high  degree  of  integrity  but  also  higher  storage 
requirements.  On  the  other  extreme,  all  members  share  the  same  keys  as  in 
GKMP  [7]  leading  to  the  system  failure  in  the  event  of  a  single  member  failure. 
The  schemes  in  [15,  17]  fail  with  the  collusion  of  two  members  or  can  fail  at 


70 


different  bit  level  depending  on  the  index  of  the  colluding  members.  Depending 
on  how  many  digit  locations  are  represented  as  k  —  ary  digits.  The  figure  4.5 
shows  the  comparison  between  various  schemes. 


A  binary  Tree  with  all  the  bits  of  user  index 
mapped  to  key  index 


Minimal  Number  of  Members  Needed  to  Fail  in  order  to 
Compromise  the  Integrity  of  the  Entire  System 


Figure  4.5:  Effect  of  User  failure  of  different  schemes 
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Chapter  5 


Oneway  Functions  for  Keys 


The  previous  chapter  dealt  with  the  design  and  analysis  of  rooted  tree  based  key 
distribution  schemes  that  will  optimize  the  key  storage  requirements  and  commu¬ 
nication  overhead.  In  doing  so,  no  assumption  was  made  about  the  mechanism 
by  which  the  keys  are  regenerated  or  distributed  to  the  group. 

In  the  recent  past,  there  have  been  attempts  making  use  of  cryptographically 
strong  functions  to  further  reduce  the  amount  of  computations  and  the  key  storage 
requirements  at  the  GC.  In  particular,  McGrew  and  Sherman  [14]  proposed  a 
rooted  tree  based  key  distribution  approach  that  can  deal  with  member  join 
or  removal  based  on  properties  of  oneway  functions.  Canetti  coauthored  two 
papers  which  relied  on  the  cryptographic  strength  of  pseudo  random  functions 
and  provided  (a)  efficient  key  update  [13]  under  member  removal,  and  (b)  efficient 
communication  key  storage  requirement  [16]  with  sub-linear  storage  requirements. 

In  [16]  Canetti  et  al.  stated  that  the  optimality  or  the  lack  of  it  for  their 
scheme  was  not  provable  in  the  paper  and  posed  it  as  an  open  problem.  We 
resolve  it  by  showing  that  the  storage  provided  by  them  is  not  optimal  and  that 
it  is  a  specific  point  along  a  cost  function  that  is  a  hyperbola.  We  also  show 
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that  the  worst  case  optimal  strategy  is  related  to  maximum  entropy  even  under 
their  setup.  This  result,  though  obvious  from  the  elementary  information  theory 
point  of  view,  shows  that  while  clustering  members  into  groups,  the  worst  case 
optimal  strategy  is  to  group  members  of  the  clusters  so  that  the  uncertainty  as 
to  which  cluster  will  need  key  update  should  be  roughly  equal.  We  now  present 
the  current  approaches  and  analyze  them 

5.1  Oneway  function  tree  of  McGrew  and  Sher¬ 
man 

McGrew  and  Sherman  modified  the  rooted  tree  of  Wallner  et  al  [10]  using  oneway 
functions  for  explicitly  computing  the  updated  keys  of  the  members.  In  order  to 
illustrate  their  approach,  we  consider  a  rooted  binary  tree  of  depth  three.  This 
tree  supports  eight  members  and  is  shown  in  figure  5.1.  The  member  M3  is  being 
revoked  and  the  key  update  for  member  M4  using  oneway  functions  approach 
of  McGrew  and  Sherman  [14]  is  demonstrated  here.  In  this  scheme,  each  node 
n  is  associated  with  two  keys,  a  node  key  kn  and  a  blinded  node  key  k'n.  The 
blinded  node  key  is  computed  from  the  node  key  using  one-way  function  g{.)  as 
k'n  =  gin). 

I11  order  to  generate  the  blinded  node  keys,  the  GC  chooses  fresh  random 
keys  and  assigns  a  unique  key  to  each  leaf  node.  Since  each  leaf  node  is  assigned 
to  a  unique  member,  the  leaf  key  is  also  the  individual  member  key.  From  the 
previous  chapter,  we  note  that  the  entropy  of  member  revocation  is  same  as  the 
entropy  of  the  leaf  key  revocation.  The  internal  node  key  for  node  n  is  computed 
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Root  key  O  blinded  keys  known  to  M4 

•  Keys  known  to  M4 


Figure  5.1:  Key  Update  Process  in  [14]. 

using  the  formula 

kn  f  (,9i.^left(n))  j  di]^right(ri)))  (5.1) 

where  /  is  a  mixing  function,  g  is  a  one-way  function,  /qe/i(n)  and  kright(n)  are  the 
keys  of  the  left  and  the  right  children  of  node  n.  For  example,  /  can  be  an  XOR 
function. 

McGrew  and  Sherman’s  construction  requires  that  the  following  invariant  is 
preserved  by  the  key  generation  procedure 

System  Invariant.  Every  member  knows  the  unblinded  node  keys  of  all  the 
nodes  on  the  path  from  its  leaf  to  the  root,  blinded  node  keys  that  are  siblings  to 
its  path  to  the  root,  and  no  other  blinded  or  unblinded  keys. 

The  intermediate  keys  are  computed  using  the  following  steps. 

•  Every  member  is  given  its  leaf  key,  and  all  the  relevant  sibling  blinded  node 
keys. 

•  Every  member  independently  computes  its  blinded  keys  of  the  nodes  along 


74 


the  path  to  the  root. 


•  Every  member  computes  the  relevant  internal  node  keys. 

If  any  of  the  blinded  key  changes,  then  the  corresponding  siblings  should  be 
updated  with  the  new  blinded  key. 

5.1.1  Computations  under  Addition  or  Deletion  of  Mem¬ 
bers 

When  a  member  is  deleted  or  revoked,  the  node  keys  and  the  blinded  node  keys 
along  the  path  from  the  leaf  assigned  to  the  member  to  the  root  are  invalidated. 
If  n  is  a  node  for  which  the  blinded  node  key  and  the  node  key  were  revoked, 
and  m  is  the  sibling(s)  of  n,  all  the  descendants  of  m  need  to  be  given  the  new 
blinded  node  key  of  n.  If  the  member  deletion  or  revocation  leaves  only  one  child 
for  a  parent,  the  child  member  is  moved  up  to  the  parent  node. 

If  a  new  member  is  added  to  a  node  n,  node  n  is  split,  and  two  children  are 
generated.  In  order  to  prevent  any  other  member  from  colluding  and  compro¬ 
mising  the  keys,  the  new  children  leafs  are  given  new  set  of  leaf  keys.  All  the 
relevant  blinded  keys  are  given  to  the  members  whose  path  from  their  leafs  to 
the  root  are  sibling  to  the  newly  created  node  path. 

5.1.2  Summary  of  McGrew-Sherman  Approach 

Although  the  approach  proposed  by  McGrew  and  Sherman  can  reduce  the  amount 
of  communication  overhead  at  the  GC,  the  security  of  the  new  key  generation 
scheme  can’t  be  proven  rigorously  or  reduced  to  the  security  of  any  primitive. 
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However,  we  do  note  that  at  this  stage  there  doesn’t  seem  to  be  any  obvious 
weakness  in  the  scheme  either. 

An  alternate  method  proposed  by  Canetti  et  al  can  be  used  to  update  the 
keys  when  a  member  is  revoked  and  is  described  below. 

5.2  Worst  Case  Member  Revocation 

We  again  consider  a  binary  tree  of  depth  three.  This  tree  can  support  a  group 
of  eight  members.  In  order  to  illustrate  the  method,  we  consider  the  case  of 
revoking  member  M\.  Figure  5.2  illustrates  the  revocation  of  M\ .  The  keys 
{Ko,  K2.i,  Ki.i,  Ko.i}  are  to  be  invalidated  while  revoking  member  Mi,  and  the 
keys  {Ko,  K2.i,  K1.1}  need  to  be  updated  for  the  relevant  members.  From  the 
figure  5.2,  a  member  Mt  needs  to  update  the  keys  corresponding  to  the  internal 
nodes  that  are  common  to  Mi  and  M\.  For  example,  members  M5,  Mfj.  M-.  Mg 
share  the  root  key  with  Mi,  and  need  to  update  it  after  revocation  of  member 
Mx. 


Root  key 


Figure  5.2:  Deletion  of  Mi  in  Rooted- Tree  of  [10]. 
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As  noted  earlier,  the  tree  structure  allows  the  GC  to  update  multiple  members 
simultaneously.  In  hgure  5.3,  members  that  can  be  grouped  together  are  marked. 
In  [10],  update  of  the  keys  is  shown  along  the  tree.  As  before,  we  use  the  notation 
{m}K  to  denote  the  encryption  of  message  m  using  the  key  K .  In  removing  M\, 
the  following  messages  are  encrypted  and  transmitted:  {K'ii}k02i  {K'21  }K'n, 

{K' 21}KV,  {K'o}k'„,  { K'o }k„- 

Root  key 


^■0.2  ^-0.3  ^-0.4  K0  5  K0 ,  6  K0 j  Ko  g  ^ —  Leaf  Keys 

M2  M4  M5  M6  M7  M8  -*  Members 

Figure  5.3:  Key  Update  After  revocation  of  Mi  [10]. 

The  number  of  encryption  needed  is  given  by  2  log  N  for  the  binary  tree  with 
depth  log  N .  We  now  present  the  method  by  Canetti  et  al  [13] ,  that  reduces  the 
communication  overhead  to  log  N  instead  of  2  log  N. 

5.3  A  Scheme  for  Reducing  Communication  Over¬ 
head 

In  [13],  Canetti  et  al  presented  an  efficient  key  update  method  based  on  pseudo¬ 
random  functions.  The  security  of  their  scheme  can  be  reduced  to  the  strength  or 


77 


the  security  of  the  pseudo-random  function  used  in  the  computation.  We  describe 
their  method  below.  Description  of  the  method  can  also  be  found  in  [13,  16]. 

Figure  5.4  shows  the  type  of  update  performed  using  the  pseudo-random 
function.  In  order  to  prevent  any  obvious  security  weakness,  the  pseudo-random 
function  G(.)  is  chosen  so  that  it  doubles  the  size  of  the  input.  The  output  string 
is  then  split  into  two  strings  of  equal  length,  denoted  as  L(.),  and  R(.).  If  the 
input  is  denoted  by  x,  then  G(x)  =  L(x)R(x),  where  L(x)  and  R(x)  are  the  left 
and  right  strings  of  the  output. 

When  a  member  is  to  be  revoked,  the  GC  chooses  a  secret  key  or  a  random 
seed  r,  and  assigns  it  to  the  parent  node  of  the  leaf  node  to  which  the  revoked 
member  was  assigned.  Every  internal  node  n  along  the  path  from  the  root  to 
the  leaf  assigned  to  the  revoked  member  is  assigned  a  unique  fresh  value  rn .  The 
values  of  rn,  and  the  relevant  node  keys  are  computed  in  a  recursive  manner  from 
the  bottom  of  the  tree  to  the  top  as  described  below. 


Root  key 

K0=  L(R(R(r))) 


K-o.2  ^0.3  K0  4  K0  5  K06  K07  K0  8  _ — Leaf  Keys 

M2  M3  M4  M5  M6  ^7  M8  ^  Members 

Figure  5.4:  Key  update  process  using  pseudo-random  functions  [13]. 

Without  loss  of  generality,  we  illustrate  the  update  procedure  for  revocation 
of  Mi. 
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1.  The  GC  chooses  a  fresh  random  quantity  r,  encrypts,  and  sends  {r} k()2  to 

M2. 

2.  The  member  M2  computes  G(r)  =  L(r)i?(r),  and  locally  computes  the 
parent  node  key  K  11  —  L(r). 

3.  The  GC  then  encrypts  R(r),  and  send  {R(t)}k12  to  M3  and  M4. 

4.  The  members  M2,  and  M:>  independently  compute  the  next  level  internal 
node  key  K'2 i  as  K  2 1  =  L(R(r)). 

5.  The  GC  then  encrypts  and  distributes  R(R(r))  to  M5-  M8  as  {R(R(r))}  k22- 

6.  All  the  members  can  now  compute  the  root  key  as  K' o  =  L(R(R(r))). 

We  note  that  the  algorithm  can  be  generalized  to  a  d  —  ary  tree  without 
difficulty. 

The  general  procedure  for  revoking  Mi  is  summarized  (any  encryption  and 
distribution  is  assumed  to  be  done  by  the  GC  only) 

1.  Choose  a  fresh  random  quantity  r  and  assign  it  to  the  leaf  node  that  is 
revoked. 

2.  Encrypt  and  distribute  the  value  of  r  to  the  siblings  of  the  revoked  member. 

3.  For  i  =  0  ■  •  •  h,  (h  is  the  depth  of  the  tree)  repeat  all  the  steps  below. 

4.  Compute  G(Rl{r ))  =  L(Rl)(Rl+l) . 

5.  Compute  the  key  of  the  internal  node  i  (excluding  the  revoked  leaf) 

K’il  =  L(R-\r)). 
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6.  Encrypt  and  distribute  {Rl(r)}Ki2  to  members  who  need  that  value,  and 
have  not  been  provided  with  any  value  earlier. 

Invoking  the  properties  in  [33],  it  was  noted  that  G(.)  being  a  pseudo-random 
function,  repeated  applications  of  it  to  the  input  r  will  make  it  difficult  for  the 
GC  to  set  the  root  key  to  be  from  the  weak  key  space,  i.e.,  if  G(.)  is  pseudo¬ 
random,  output  of  Gl(r )  is  difficult  to  predict.  Hence,  iff  G(x)  =  L{x)R{x )  is 
a  cryptographically  strong  pseudo-random  function  generator,  it  will  be  hard  to 
choose  k  such  that  k  =  L(R  •  •  •  (r)  •  •  •).  Canetti  et  al.  claimed  that  this  property 
of  the  pseudo-random  functions  will  prevent  the  GC  from  choosing  weak  keys. 
We  note  that  the  argument  assumes  that  the  initial  key  assignment  doesn’t  include 
any  weak  keys.  Else,  the  computation  of  the  keys  along  the  tree  is  somewhat 
complicated  than  that  is  presented  by  Canetti  et  al. 

5.3.1  Use  of  Pseudo-random  Functions  in  Storage  Reduc¬ 
tion 

The  GC  can  minimize  the  key  storage  requirements  by  generating  the  member 
specific  keys  as  outputs  of  a  pseudo-random  function  with  indexing.  In  this 
scheme  [16],  the  GC  holds  a  single  secret  key  r,  an  index  to  a  pseudo-random 
function  fr  [16].  The  leaf  key  of  member  Mi  is  generated  by  ki  =  fr(i ).  When 
a  user  is  compromised,  the  GC  computes  the  new  session  key  SK,  encrypts  the 
new  SK  with  the  individual  keys  of  each  valid  member  and  distributes.  The 
security  of  this  key  generation  scheme  is  based  on  the  security  of  the  pseudo¬ 
random  function  and  the  encryption  scheme  used.  For  security  reasons,  if  a 
single  member  is  compromised,  the  whole  membership  has  to  be  updated  with 
communication  overhead  of  O(N). 
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On  the  other  hand,  the  rooted  trees  need  only  0(log  N)  communication  mes¬ 
sages  to  be  used  to  update  the  keys.  Hence,  a  mix  model  of  key  distribution  was 
proposed  in  [16]  to  minimize  the  key  storage  requirements  at  GC.  In  this  model, 
the  group  is  divided  into  clusters  of  size  M.  Each  cluster  is  assigned  to  a  unique 
leaf  of  a  d  —  ary  tree.  Within  the  clusters,  a  cluster  specific  pseudo-random 
function  is  used  to  generate  member  specific  leaf  keys. 

The  model  can  be  summarized  in  the  following  steps:  Given  a  group  of  size 

N, 

1.  form  clusters  with  fixed  size  M. 

2.  build  a  a  —  ary  rooted-tree  with  depth 

&=rioga  r^n  (5-2) 

3.  assign  each  cluster  to  a  unique  leaf  node  of  the  a  — ary  rooted-tree  of  depth, 
denoted  by  b. 

4.  use  a  pseudo-random  function  generator  with  cluster  specific  seed  and  gen¬ 
erate  the  member  specific  keys. 

Once  the  a  —  ary  rooted-tree  of  depth  b  is  constructed,  the  key  distribution  is 
done  using  the  technique  in  [10]. 

Communication-Storage  Parameters  Using  the  minimal  storage  scheme  in  con¬ 
junction  with  the  rooted-tree,  the  user  storage,  the  GC  storage,  and  the  number 
of  encryptions  needed  can  be  computed  analytically.  We  present  the  results  with 
two  specific  examples  in  the  table  below. 
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general  M,  a 

Example  1 

Example  2 

user  storage 

!°g  a(f) 

(P(logn) 

2 

GC  storage 

N  a 

M  (a— 1) 

no.5  +  1 

Encryptions 

(M  ~  1)  +  (a  -  l)loga(f) 

C>(log  n) 

2 n0-5  -  2 

Table  5.1:  Parameters  of  the  tradeoff  scheme  in  [16].  Setting  a  =  2,  M  =  1  leads 
to  results  in  [10].  In  example  1,  a  =  2,  m  =  d(logn),  in  example  2,  a  =  m  =  n °'5 

5.3.2  Problem  Posed 

Canetti  et  al  noted  that  the  choice  of  M  =  log  N  led  to  the  key  storage  require¬ 
ment  O ( log"  N )  which  is  sub-linear  in  N.  They  conjectured  [16]  to  be  optimal 
with  communication  overhead  of  (9 (log  AT),  and  posed  it  as  an  open  problem. 

5.3.3  Answer  to  the  Problem 

We  note  that  the  answer  to  the  open  problem  is  NO.  Proof  that  the  choice  of 
M  they  proposed  does  not  lead  to  minimum  storage  can  be  presented  using  the 
following  direct  computations.  The  total  number  of  keys  to  be  stored  by  the 
GC.  The  key  distribution  structure  in  [16]  has  an  a  —  ary  rooted-tree  with  depth 
b  followed  by  a  cluster  of  M  members  at  each  leafs.  The  total  number  of  keys 
excluding  the  SK,  is  given  by 

5  = 


Setting  o  =  2,  M  —  1  leads  to  the  familiar  result  in  [10]  for  a  binary  rooted- 


b 

i= 0 

ab+l  -  1 

a  —  1 
aN-M 

M(a-l) 


(5.3) 


(5.4) 


82 


tree  in  the  case  that  it  has  (2n  -1)  keys  excluding  the  SK.  The  general  form  of 
the  storage  as  a  function  of  M  is  a  hyperbola  given  by  the  equation 


S 


X  N 


(5.5) 


where  A,  /i  are  scalar  constants. 

The  result  of  sub-linear  storage  was  derived  in  [16]  by  setting  M  =  log  N . 
Since  the  storage  function  is  a  hyperbola,  we  note  that  the  selection  M  =  log  N 
doesn’t  necessarily  yield  the  minimal  point.  If  the  group  size  N  is  sufficiently 
large,  then  there  are  plenty  of  values  of  M  in  the  range  log  N  <  M  <  N  that 
will  require  less  key  storage  than  that  for  the  choice  of  M  =  log  IV.  We  present 
numerical  examples  in  a  tabular  manner  for  a  binary  tree  (a  =  2).  For  this  case 
the  storage  function  reduces  to  NV^r . 


N 

log  TV 

Range  for  improved  results 

210 

10 

10  <  M  <  N 

215 

15 

15  <  M  <  N 

22° 

20 

20  <  M  <  N 

5.3.4  Further  Improvement  to  the  Cluster  Based  Tech¬ 
niques 

We  note  that  the  solution  presented  by  Canetti  et  al  need  not  be  optimal  in 
a  heterogeneoous  network  with  non-uniform  member  revocation  probabilities. 
If  the  member  revocation  probabilities  are  non-uniform,  using  the  modeling  in 
the  previous  section,  and  assuming  that  the  individual  member  revocation  event 
are  independent,  for  cluster  i,  the  probability  of  revocation  of  the  cluster  is  the 
sum  of  the  probabilities  of  the  revocation  of  the  cluster  members.  Using  these 
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probabilities,  we  can  define  the  entropy  of  cluster  revocation  in  a  similar  manner 
as  the  entropy  of  member  revocation.  Moreover,  given  the  individual  cluster 
revocation  probabilities,  we  can  solve  the  problem  of  optimal  number  of  keys  per 
cluster  for  the  a  —  ary  rooted  tree  using  an  identical  derivation  as  in  the  previous 
chapter. 

We  summarize  the  results  without  repeating  the  proofs.  Since  the  set  of  KEKs 
assigned  to  a  cluster  should  be  unique,  and  the  KEKs  are  distributed  on  the  nodes 
of  the  tree,  the  unique  indexing  requires  that  the  number  of  keys  assigned  to  a 
cluster  should  satisfy  the  Kraft  inequality  [20,  21].  Denoting  the  number  of  keys 
assigned  to  a  cluster  with  probability  of  revocation  p*  by  h,  we  note 

N 

^a"Zi<l.  (5.6) 

3= 1 

Minimization  of  the  average  number  of  keys  held  by  a  member  with  the  unique 
indexing  leads  to  the  solution  that  the  optimal  number  of  keys  assigned  to  a 
cluster  with  revocation  probability  pt  is  given  by  lt  =  —  log ap.j.  The  following 
theorem  summarizes  the  optimal  number  of  keys  per  cluster. 

Theorem  5.1.  For  a  rooted-tree  based  key  assignment  that  satisfies  the  Kraft 
inequality,  the  optimal  average  number  of  keys,  excluding  the  root  key  and  the 
SK,  assigned  to  a  cluster  is  given  by  the  a  —  ary  entropy  Ha  =  —  Yfi=\Pi  log dPi 
of  the  member  revocation  event.  For  a  cluster  i  with  probability  of  revocation  pi: 
satisfying  the  optimization  criteria,  the  optimal  number  of  keys  lt,  excluding  the 
root  key  and  the  SK,  is  given  by 

h  =  -log  dPi  (5.7) 

N 

Ha  =  ~^Pi\ogdPi.  (5.8) 

1=1 

In  order  to  design  the  system  for  worst  case  condition,  from  the  view  point 
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of  the  GC,  the  uncertainty  as  to  which  cluster  is  to  be  revoked  next  should  be 
maximized  subject  to  the  condition  Y^LiPi  =  1-  Formally,  we  have  the  following 
optimization  problem 

N 

maximized^  =  -J^Pi  logd Pi  (5.9) 

i= 1 
N 

subject  to  ^2  pi  =  1 

i= 1 

In  this  formulation,  the  aim  is  to  find  the  set  of  optimal  values  to  each  cluster 
revocation  probabilities. 

The  optimal  result  is  the  well  known  uniform  distribution  for  each  cluster 
revocation  probabilities,  and  the  corresponding  entropy  is  the  maximal  entropy 
given  by  logd  N.  Hence,  the  cluster  size  should  be  selected  such  that  the  revoca¬ 
tion  probabilities  of  each  of  the  cluster  is  identical.  If  all  the  members  have  same 
probability  of  being  revoked,  the  cluster  size  will  also  be  the  same.  This  though 
is  only  a  special  case.  Hence,  the  results  in  [16]  for  key  storage  can  be  further 
improved  in  more  than  one  way. 
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Chapter  6 


Conclusion 


This  dissertation  addresses  key  generation  and  key  distribution  problems  for  a 
single  sender- multiple  receiver  model  of  secure  multicast.  Commercial  applica¬ 
tions  such  as  stock  quote  distribution  and  selective  new  updates  belong  to  the 
single  sender-  multiple  receiver  model. 

A  new  key  generation  scheme  was  proposed  that  allows  a  set  of  mutually 
suspicious  members  to  generate  a  common  secret.  The  scheme  also  lets  the 
members  generate  the  common  secret  without  having  to  expose  their  individual 
secrets.  In  this  scheme,  we  assumed  that  there  is  a  third  party  to  initiate  the  key 
generation  procedure.  Every  key  generating  member  is  given  an  initial  pad  and 
a  group  binding  parameter  that  is  the  sum  of  all  the  pads.  Members  generate 
individual  shares  called  fractional  keys,  use  the  individual  pads  to  create  a  hidden 
fractional  keys,  and  exchange  the  hidden  fractional  keys.  Every  member  then 
combines  the  hidden  fractional  shares  to  generate  the  hidden  common  key/secret. 
The  group  binding  parameter  is  then  used  to  remove  the  combined  effect  of  all  the 
pads,  and  extract  the  new  common  key/secret.  We  also  provided  a  mechanism 
to  update  the  pads  of  individual  members.  The  common  key/secret,  which  is 
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the  sum  of  individual  shares,  is  the  group  binding  parameter.  Hence,  the  group 
binding  parameter  is  updated  every  time  the  group  keys  are  computed.  Although 
we  presented  the  key  generation  scheme  for  an  additive  law,  variations  such  as 
using  a  multiplicative  law  for  combining  the  individual  secrets  are  also  possible. 

In  the  second  part  of  the  thesis,  a  new  approach  to  key  distribution  was 
proposed  that  made  use  of  basic  concepts  from  information  theory.  In  doing  so, 
we  also  showed  that  the  best,  or  optimal,  strategy  that  minimizes  the  number  of 
keys  to  be  stored  while  minimizing  the  number  of  updated  messages  as  well,  is 
equivalent  to  the  optimal  selection  of  codeword  length.  We  further  showed  that 
the  solution  obtained  using  concepts  from  information  theory  does  not  prevent 
collusion.  This  point  is  demonstrated  by  considering  the  recent  proposal  by 
researchers  at  IBM  corporation  [17],  and  showing  that  their  results  correspond 
to  optimal  selection  of  codeword  length  selection  but  lead  to  member  collusion. 
We  also  presented  the  condition  that  prevents  user  collusion  from  compromising 
a  valid  member.  We  then  showed  that  the  use  of  entropy  also  allows  one  to 
group  members  into  clusters  with  each  cluster  having  equal  probability  of  being 
revoked.  We  also  showed  that  it  is  possible  to  find  the  optimal  key  assignment 
in  the  cluster  case  based  on  entropy  of  cluster  revocation  event. 

There  are  many  interesting  problems  and  directions  of  future  research  arising 
from  the  work  presented  here. 

First  and  foremost,  the  results  need  to  be  extended  to  the  case  of  many 
senders  and  many  receivers  which  represents  all  possible  multicast  applications. 
Specifically  we  plan  to  pursue  the  following  problems:  authentication  without 
reducing  performance  in  multicasting;  group  key  generation  and  distribution; 
handling  membership  across  groups.  What  are  the  appropriate  generalizations 
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of  the  results  presented  in  this  thesis?  What  is  the  “correct”  information  theory 
analogy  in  this  case  of  many-to-many. 

Second,  we  plan  to  investigate  implementation  of  the  key  distribution  sys¬ 
tem  described  in  the  thesis  in  real  world  networks.  This  will  help  identify  any 
potential  practical  problems  that  may  have  not  been  recognized  in  the  theoreti¬ 
cal/analytical  work  presented  here. 

Third,  we  plan  to  investigate  fast  algorithms  for  group  key  generation  and  we 
are  particularly  interested  in  approaches  that  lead  to  reduced  key  lengths,  such 
as  methods  using  elliptic  curves.  In  this  context  we  also  intent  to  investigate 
applications  in  conditional  access  schemes  for  multicasting  of  real-time  videos  and 
multimedia  information  streams.  We  are  also  interested  in  exploring  applications 
in  mobile  networks  and  in  networks  with  rapidly  varying  topologies  which  will 
cause  fast  dynamic  changes  in  multicast  group  membership. 

Fourth,  a  set  of  parameters  identified  by  our  theory  is  the  probabilities  of 
member  revocation  p,:.  Typically  these  will  not  be  known  exactly.  How  can 
they  be  estimated?  What  is  the  error  of  inaccuracies  in  the  estimation?  Can 
we  obtain  robust  schemes  and  what  is  the  cost  of  those  in  terms  of  scalability? 
Can  we  develop  universal  methods  that  do  not  rely  on  explicit  estimates  of  these 
probabilities?  Are  these  related  to  universal  coding?  Finally,  we  are  interested 
and  plan  to  investigate  attacks  that  are  more  general  and  sophisticated  than  the 
collusion  attacks  described  here.  Specific  problems  include  intrusion  detection, 
defense  against  covert  channel  use,  and  defense  against  schemes  exploiting  biasing 
of  the  key  space  by  the  contributing  member. 

Multicast  security  is  a  key  and  central  problem  in  the  Internet-centric  world. 
We  have  investigated  some  initial  problems  in  a  systematic  and  analytical  fashion. 


Much  exciting  and  important  research  remains  to  be  done. 


BIBLIOGRAPHY 


[1]  T.  Cover,  J.  Thomas,  Elements  of  Information  Theory,  John  Wiley  &  Sons, 
Inc,  NY,  1991. 

[2]  M.  steiner,  G.  Tsudik,  and  M.  Waidner,  “Diffie-Hellman  key  distribution  ex¬ 
tended  to  group  communication”,  3rd  ACM  Conf.  on  Computer  and  Com¬ 
munications  Security ”,  1996. 

[3]  A.  Fiat  and  M.  Naor,  “Broadcast  Encryption”,  Advances  in  Cryptology- 
Crypto’92,  Lecture  Notes  in  Computer  Science,  vol.  773,  pp.  481-491, 
Springer- Verlag,  Berlin  Germany,  1993. 

[4]  D.  R.  Stinson,  and  T.  V.  Trung,  “Some  New  Results  on  Key  Distribution 
Patterns  and  Broadcast  Encryption” ,  to  appear  in  Design,  Codes  and  Cryp¬ 
tography. 

[5]  D.  R.  Stinson,  “On  some  methods  for  unconditionally  secure  key  distribution 
and  broadcast  encryption” ,  to  appear  in  Design,  Codes  and  Cryptography. 

[6]  M.  Brumester  and  Y.  Desmedt,  “A  Secure  and  Efficient  Conference  Key 
Distribution  System”,  Advances  in  Cryptology-  Eurocrypt’94,  Lecture  Notes 
in  Computer  Science,  vol.  950,  pp.  275-286,  Springer- Verlag,  Berlin  Germany, 
1994. 


90 


[7]  H.  Harney  and  C.  Muckenhirn,  “GKMP  Architecture” ,  Request  for  Com- 
ments(RFC)  2093,  July  1997. 

[8]  H.  Harney  and  C.  Muckenhirn.  “GKMP  Specification” .  Internet  RFC  2094, 
July  1997. 

[9]  S.  Mittra,  “Iolus:  A  framework  for  Scalable  Secure  Multicasting”,  In  Pro¬ 
ceedings  of  ACM  SIGGCOM’97 ,  pages  277-288,  September  1997. 

[10]  D.  M.  Wallner,  E.  C.  Harder,  and  R.  C.  Agee,  “Key  Management  for  Mul¬ 
ticast:  Issues  and  Architectures”,  Internet  Draft,  September  1998. 

[11]  C.  K.  Wong,  M.  Gouda,  S.  S.  Lam,  “Secure  Group  Communications  Using 
Key  Graphs”,  In  Proceedings  of  ACM  SIGCOMM’98,  September  2-4,  Van¬ 
couver,  Canada. 

[12]  R.  Canetti,  and  B.  Pinkas,  “A  taxonomy  of  multicast  security  issues”,  In¬ 
ternet  draff  April,  1999. 

[13]  R.  Canetti,  J.  Garay,  G.  Itkis,  D.  Micciancio,  M.  Naor,  B.  Pinkas,  “Multicast 
Security:  A  Taxonomy  and  Efficient  Reconstructions”,  in  Proceedings  of 
IEEE  Infocom  ’99. 

[14]  D.  A.  McGrew  and  A.  Sherman,  “Key  Establishment  in  Large  Dynamic 
Groups  Using  One-Way  Function  Trees”,  Manuscript,  1998. 

[15]  G.  Caronni,  M.  Waldvogel,  D.  Sun,  and  B.  Plattner,  “Efficient  Security  for 
Large  and  Dynamic  Groups” ,  In  Proc.  of  the  Seventh  Workshop  on  Enabling 
Technologies ,  IEEE  Computer  Society  Press,  1998. 


91 


[16]  R.  Canetti,  T.  Malkin,  and  K.  Nissim,  “Efficient  Commnnication-Storage 
Tradeoffs  for  Multicast  Encryption”,  In  Eurocrypt  99,  pp.  456  -  470. 

[17]  I.  Chang,  R.  Engel,  D.  Kandlur,  D.  Pendarakis,  D.  Saha,  “Key  Manage¬ 
ment  for  Secure  Internet  Multicast  Using  Boolean  Function  Minimization 
Techniques”,  in  Proceedings  of  IEEE  Infocom’99. 

[18]  R.  Canetti,  P-C.  Cheng,  D.  Pendarakis,  J.  R.  Rao,  P.  Rohatgi,  D.  Saha,  “An 
Architecture  for  Secure  Internet  Multicast”,  Internet  Draft,  November  1998. 

[19]  B.  Quinn,  “IP  Multicast  Applications:  Challenges  and  Solutions”,  Internet 
draft,  November  1998. 

[20]  R.  Poovendran,  and  J.  S.  Baras,  “An  Information  Theoretic  Approach  for 
Design  and  Analysis  of  Rooted- Tree  Based  Multicast  Key  Management 
Schemes”,  Springer  Verlag  Lecture  Notes  in  Computer  Sciences,  Advances 
in  Cryptology-  CRYPTO’99,  August  1999,  Santa  Barbara,  USA. 

[21]  R.  Poovendran,  and  J.  S.  Baras,  “An  Information  Theoretic  Approach  to 
Multicast  Key  Management”,  in  Proceedings  of  IEEE  Information  theory 
and  Networking  Workshop,  Metsovo,  Greece,  June,  1999. 

[22]  R.  Poovendran,  S.  Ahmed,  S.  Corson,  J.  Baras,  “A  Scalable  Extension  of 
Group  Key  Management  Protocol”,  Proceedings  of  ATIRP  Conference,  pp 
187-191,  Feb,  1998,  Maryland. 

[23]  R.  Poovendran,  S.  Corson,  J.  Baras,  “A  Dynamic  Group  ElGamal  key  Gen¬ 
eration  with  Tight  Binding”,  Proceedings  of  ATIRP  Conference,  Feb,  1999, 
Maryland. 


92 


[24]  R.  Poovendran,  S.  Corson,  J.  Baras,  “A  Private  Scheme  for  Distributed 
Shared  Key  Generation”,  Proceedings  of  the  Information  Theory  Workshop, 
June  1999,  South  Africa. 

[25]  R.  Poovendran,  S.  Corson,  J.  Baras,  “A  Shared  Key  Generation  Procedure 
Using  Fractional  Keys”,  Proceedings  of  the  IEEE  Milcom,  October,  1998, 
Boston,  MA. 

[26]  D.  Boneh  and  M.  Franklin,  “Efficient  Generation  of  Shard  RSA  Keys”, 
Crypto’98. 

[27]  M.  Yung,  “Cryptovirology:  Extortion-Based  Security  Threats  and  Counter¬ 
measures”,  Proceedings  of  IEEE  Symposium  on  Security  and  Privacy,  pp. 
129-140,  1995. 

[28]  J.  L.  Massey,  “An  Information-Theoretic  Approach  to  Algorithms”,  Impact 
of  Processing  Techniques  in  Communications,  In  NATO  Advanced  Study 
Institutes  Series  E91,  pp.  3-20,  1985. 

[29]  J.  L.  Massey,  “Some  Applications  of  Source  Coding  to  Cryptography”,  In 
European  Trans,  on  Telecom.,  Vol.  5,  pp.  421-429,  July-August  1994. 

[30]  H.  N.  Jendal,  Y.  J.  B.  Khun,  and  J.  L.  Massey,  “An  Information-Theoretic 
Approach  to  Homomorphic  Substitution”,  In  Advances  in  Cryptology- 
Eurocrypt’89,  LNCS-434,  pp.  382-394,  1990. 

[31]  Y.  Desmedt,  Y.  Frankel,  and  M.  Yung,  “  Multi-receiver/Multi-sender  net¬ 
work  security:  efficient  authenticated  multicast  feedback” ,  IEEE  Infocom  ’ 92 , 
pp.  2045-2054. 


93 


[32]  A.  Menezes,  P.  van  Oorschot,  and  A.  Vanstone,  “Handbook  of  Applied 
Cryptography” ,  CRC  Press,  Boca  Raton,  1997. 

[33]  M.  Naor  and  0.  Reingold,  “From  Unpredictability  to  Indistinguishability:  A 
Simple  Construction  of  Pseudo-Random  Functions  from  MACs” ,  Advances 
in  Cryptology-  Crypto’98,  Lecture  Notes  in  Computer  Science,  vol.  1462,  pp. 
267-282,  Springer- Verlag,  Berlin  Germany,  1998. 

[34]  M.  Luby,  Pseudo-Random  Functions  and  Applications,  Princeton  University 
Press,  1996. 

[35]  T.  Hardjono,  B.  Cain,  and  N.  Doraswamy,  “A  Framework  for  Group  Key 
Management  for  Multicast  Security”,  Internet  draft ,  July  1998. 

[36]  A.  Ballardie.  “Scalable  Multicast  Key  Distribution”.  Internet  RFC  1949, 
May  1996. 

[37]  N.  Koblitz,  Algebraic  Aspects  of  Cryptography,  pp.  11-12,  Springer- Verlag, 
New  York,  1998. 

[38]  N.  Koblitz,” Cryptography  as  a  teaching  tool”,  In  Cryptologia,  October, 
1998. 


94 


